[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t

Dominick Grift dominick.grift at gmail.com
Sat Sep 24 10:18:44 CDT 2011


On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
> When using puppet to configure systems, the puppet system
> runs the mount command and captures its output in a temporary
> file in /tmp (which is labeled puppet_tmp_t).

I wonder what it is exactly what is causing puppet to run mount.

Fedoras' puppet policy does not allow puppet to run mount and domain
transition to mount_t.

I wonder why Fedoras' puppet seems to not need this access.

> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  policy/modules/system/mount.te |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 1284081..ca9cdc0 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -191,6 +191,10 @@ optional_policy(`
>  	')
>  ')
>  
> +optional_policy(`
> +	puppet_rw_tmp(mount_t)
> +')
> +
>  # for kernel package installation
>  optional_policy(`
>  	rpm_rw_pipes(mount_t)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110924/65393f50/attachment.bin 


More information about the refpolicy mailing list