From: dominick.grift@gmail.com (Dominick Grift)
Date: Sat, 24 Sep 2011 17:18:44 +0200
Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to
 puppet_tmp_t
In-Reply-To: <20110924135657.GA8045@siphos.be>
References: <20110924135657.GA8045@siphos.be>
Message-ID: <1316877524.9488.16.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
> When using puppet to configure systems, the puppet system
> runs the mount command and captures its output in a temporary
> file in /tmp (which is labeled puppet_tmp_t).

I wonder what it is exactly what is causing puppet to run mount.

Fedoras' puppet policy does not allow puppet to run mount and domain
transition to mount_t.

I wonder why Fedoras' puppet seems to not need this access.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/mount.te |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 1284081..ca9cdc0 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -191,6 +191,10 @@ optional_policy(`
>  	')
>  ')
>  
> +optional_policy(`
> +	puppet_rw_tmp(mount_t)
> +')
> +
>  # for kernel package installation
>  optional_policy(`
>  	rpm_rw_pipes(mount_t)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110924/65393f50/attachment.bin