[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t
dominick.grift at gmail.com
Sat Sep 24 10:18:44 CDT 2011
On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
> When using puppet to configure systems, the puppet system
> runs the mount command and captures its output in a temporary
> file in /tmp (which is labeled puppet_tmp_t).
I wonder what it is exactly what is causing puppet to run mount.
Fedoras' puppet policy does not allow puppet to run mount and domain
transition to mount_t.
I wonder why Fedoras' puppet seems to not need this access.
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> policy/modules/system/mount.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 1284081..ca9cdc0 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -191,6 +191,10 @@ optional_policy(`
> + puppet_rw_tmp(mount_t)
> # for kernel package installation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110924/65393f50/attachment.bin
More information about the refpolicy