From: domg472@gmail.com (Dominick Grift) Date: Thu, 27 Aug 2009 16:20:36 +0200 Subject: [refpolicy] puppet.patch In-Reply-To: <0BE19D42-8DB2-4D0A-993F-86B55A61C2E8@mimectl> References: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com> <20090827103107.GA2495@notebook3.grift.internal> <0BE19D42-8DB2-4D0A-993F-86B55A61C2E8@mimectl> Message-ID: <20090827142035.GA5997@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Aug 27, 2009 at 09:24:00AM -0400, Grube, Craig wrote: > I have no issues with most of the comments and will include those in an updated patch. I do have a couple of questions about several comments. > > > It looks like you've designed this policy on RHEL5 or some older implementation of selinux-policy. > > Correct. Most of the work was done in Fedora Core 11. > > > +interface(`puppet_run_semanage',` > > should be: > > is not allowed > > # END > > +interface(`puppet_run_setsebool',` > > should be: > > is not allowed > > # END > > The version of Puppet I'm working with relies on semanage and get/setsebool to manage client's SELinux configuration (i.e. load/unload policy modules, set booleans, etc.) Is the issue with the naming convention or is it preferred that Puppet not be able to manage client's SELinux configuration at all, or that the interfaces be moved into a policy module outside of the reference policy? That shared policy is defined in the wrong module. puppet.if should only have shared policy where the puppet domains are target. in these interface the puppet domains arent the target. if i remember correct than these interfaces should go to seutils module instead (if similar interfaces arent available already there.) > > +interface(`puppet_init_scripts_domtrans',` > > should be: > > not allowed > > # END > > Same question as the previous one, is the issue with the naming convention or with the ability of Puppet to cycle system services? > > Puppet restarts system services after updating configuration files, installing new packages, etc. In the absence of the interface Puppet is either unable to cycle system services or cycled services run in the puppet domain instead of the domain intended for the particular service. Not being able to cycle services would make Puppet not so usefu > > I had the interface contents in puppet.te, but moved them into an interface when I needed to pull in the init_script_file_type attribute. The move was based on my understanding that the use of interfaces and gen_require is preferred over using require blocks. > > > allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config }; > > Comment: > > is that really required? > > Probably not all are required. Some were required to get the service to run, all appeared in the audit logs but are probably not all necessary for Puppet to function properly. > > -- > Craig Grube > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090827/d51d0705/attachment.bin