From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 26 Sep 2011 09:12:59 -0400 Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t In-Reply-To: <1316877756.9488.19.camel@x220.mydomain.internal> References: <20110924135657.GA8045@siphos.be> <1316877524.9488.16.camel@x220.mydomain.internal> <1316877756.9488.19.camel@x220.mydomain.internal> Message-ID: <4E807A5B.3050602@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2011 11:22 AM, Dominick Grift wrote: > On Sat, 2011-09-24 at 17:18 +0200, Dominick Grift wrote: >> On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote: >>> When using puppet to configure systems, the puppet system runs >>> the mount command and captures its output in a temporary file >>> in /tmp (which is labeled puppet_tmp_t). >> >> I wonder what it is exactly what is causing puppet to run mount. >> >> Fedoras' puppet policy does not allow puppet to run mount and >> domain transition to mount_t. >> >> I wonder why Fedoras' puppet seems to not need this access. > > I guess it is because puppet_t is a unconfined domain. > > Fedora should make these domains unconfined when the release goes > stable only imho. > >>> Signed-off-by: Sven Vermeulen --- >>> policy/modules/system/mount.te | 4 ++++ 1 files changed, 4 >>> insertions(+), 0 deletions(-) >>> >>> diff --git a/policy/modules/system/mount.te >>> b/policy/modules/system/mount.te index 1284081..ca9cdc0 100644 >>> --- a/policy/modules/system/mount.te +++ >>> b/policy/modules/system/mount.te @@ -191,6 +191,10 @@ >>> optional_policy(` ') ') >>> >>> +optional_policy(` + puppet_rw_tmp(mount_t) +') + # for kernel >>> package installation optional_policy(` rpm_rw_pipes(mount_t) >> > > > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy We usually go from permissive to unconfined when we try to spin off to beta. But making puppet confined is probably a waste of time anyways, since it pretty much needs to be able to do anything. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6AelcACgkQrlYvE4MpobOFxgCgiIRTIsTF1kNkllm2D2/Po99O LqQAoL3xMud++w5zys4HzoIIk6954pfs =dJax -----END PGP SIGNATURE-----