From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 26 Sep 2011 16:22:43 +0200
Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to
 puppet_tmp_t
In-Reply-To: <4E807A5B.3050602@redhat.com>
References: <20110924135657.GA8045@siphos.be>
	<1316877524.9488.16.camel@x220.mydomain.internal>
	<1316877756.9488.19.camel@x220.mydomain.internal>
	<4E807A5B.3050602@redhat.com>
Message-ID: <20110926142242.GA14599@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 26, 2011 at 09:12:59AM -0400, Daniel J Walsh wrote:
> We usually go from permissive to unconfined when we try to spin off to
> beta.  But making puppet confined is probably a waste of time anyways,
> since it pretty much needs to be able to do anything.

I disagree. Even powerful domains should be confined. I'd personally like to
go even further and make sure that the policy is flexible enough to deal
with limited use - for instance, if I use puppet only for ensuring mounts,
then it should not be able to reload selinux policies (or transition to
domains that can). Although we are definitely not there yet, I believe that
we should at least first see how confining puppet goes.

Once a more complete policy is found, we can see if this can be segregated
nicely.

Furthermore, the puppet policy itself has most of its "power" through domain
transitions, not through elevated privileges on the puppet_t domain itself.
Although remote command execution is still exploitable through this, making
puppet SELinux-aware might help to reduce attacks there as well.

Wkr,
	Sven Vermeulen