From: Craig.Grube@cobham.com (Craig Grube) Date: Fri, 30 Oct 2009 08:31:20 -0400 Subject: [refpolicy] new service_puppet.patch In-Reply-To: <1256649536.6392.34.camel@gorn.columbia.tresys.com> References: <776FA2A8-8A8B-4F20-8C1C-BD59111C31E7@cobham.com> <1256649536.6392.34.camel@gorn.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I'll send a patch out later today using git send-email as requested. On Oct 27, 2009, at 9:18 AM, Christopher J. PeBenito wrote: > On Tue, 2009-10-27 at 08:45 -0400, Craig Grube wrote: >> >> +auth_manage_all_files_except_shadow(puppet_t) >> +auth_relabel_all_files_except_shadow(puppet_t) > > I think this is extremely excessive; it should be conditional. > Instead, > I think the best default would be to start using a config file in the > files module, and have puppet manage all config files as the default > access. Added a new boolean that is off by default as suggested. I was getting a syntax error when using auth_relabel_all_files_except_shadow inside of a tunable_policy block so I dropped it. >> +seutil_domtrans_setfiles(puppet_t) >> +seutil_domtrans_semanage(puppet_t) >> +seutil_manage_default_contexts(puppet_t) > >> +seutil_manage_file_contexts(puppet_t) > > Why would this be necessary? The file contexts should be semanage. > Local changes to the file contexts should also be made through > semanage. Probably put it in before I added the domain transition for semanage. I didn't have issues pulling it out. >> >> +optional_policy(` >> + rpm_domtrans(puppetmaster_t) >> + rpm_read_db(puppetmaster_t) >> +') > > What is the puppetmaster doing with rpm? This doesn't appear to be necessary for newer versions of puppet. The version I was using when I first started working on the policy used rpm to list installed packages. -- Craig Grube craig.grube at cobham.com