From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 26 Sep 2011 11:01:58 -0400
Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to
	puppet_tmp_t
In-Reply-To: <20110926142242.GA14599@siphos.be>
References: <20110924135657.GA8045@siphos.be>
	<1316877524.9488.16.camel@x220.mydomain.internal>
	<1316877756.9488.19.camel@x220.mydomain.internal>
	<4E807A5B.3050602@redhat.com> <20110926142242.GA14599@siphos.be>
Message-ID: <4E8093E6.8060605@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/26/2011 10:22 AM, Sven Vermeulen wrote:
> On Mon, Sep 26, 2011 at 09:12:59AM -0400, Daniel J Walsh wrote:
>> We usually go from permissive to unconfined when we try to spin
>> off to beta.  But making puppet confined is probably a waste of
>> time anyways, since it pretty much needs to be able to do
>> anything.
> 
> I disagree. Even powerful domains should be confined. I'd
> personally like to go even further and make sure that the policy is
> flexible enough to deal with limited use - for instance, if I use
> puppet only for ensuring mounts, then it should not be able to
> reload selinux policies (or transition to domains that can).
> Although we are definitely not there yet, I believe that we should
> at least first see how confining puppet goes.
> 
> Once a more complete policy is found, we can see if this can be
> segregated nicely.
> 
> Furthermore, the puppet policy itself has most of its "power"
> through domain transitions, not through elevated privileges on the
> puppet_t domain itself. Although remote command execution is still
> exploitable through this, making puppet SELinux-aware might help to
> reduce attacks there as well.
> 
> Wkr, Sven Vermeulen 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy


My point being that it is very difficult to make a policy for the
masses that will work with a domain that can place files anywhere and
even needs to be able to turn on and off SELinux. Setting booleans,
file_context, policy modules, are all things that puppet does within
the Fedora infrastructure.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6Ak+YACgkQrlYvE4MpobOszACfVcthPTlPfWNSnBbr8+WrGGl+
GtwAoKFWCCkKqoesAKbnEePLpLfiwgu2
=iJ49
-----END PGP SIGNATURE-----