From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 24 Sep 2011 17:22:36 +0200 Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t In-Reply-To: <1316877524.9488.16.camel@x220.mydomain.internal> References: <20110924135657.GA8045@siphos.be> <1316877524.9488.16.camel@x220.mydomain.internal> Message-ID: <1316877756.9488.19.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2011-09-24 at 17:18 +0200, Dominick Grift wrote: > On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote: > > When using puppet to configure systems, the puppet system > > runs the mount command and captures its output in a temporary > > file in /tmp (which is labeled puppet_tmp_t). > > I wonder what it is exactly what is causing puppet to run mount. > > Fedoras' puppet policy does not allow puppet to run mount and domain > transition to mount_t. > > I wonder why Fedoras' puppet seems to not need this access. I guess it is because puppet_t is a unconfined domain. Fedora should make these domains unconfined when the release goes stable only imho. > > Signed-off-by: Sven Vermeulen > > --- > > policy/modules/system/mount.te | 4 ++++ > > 1 files changed, 4 insertions(+), 0 deletions(-) > > > > diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > > index 1284081..ca9cdc0 100644 > > --- a/policy/modules/system/mount.te > > +++ b/policy/modules/system/mount.te > > @@ -191,6 +191,10 @@ optional_policy(` > > ') > > ') > > > > +optional_policy(` > > + puppet_rw_tmp(mount_t) > > +') > > + > > # for kernel package installation > > optional_policy(` > > rpm_rw_pipes(mount_t) > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110924/3184038a/attachment-0001.bin