[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t

Dominick Grift dominick.grift at gmail.com
Sat Sep 24 10:22:36 CDT 2011


On Sat, 2011-09-24 at 17:18 +0200, Dominick Grift wrote:
> On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
> > When using puppet to configure systems, the puppet system
> > runs the mount command and captures its output in a temporary
> > file in /tmp (which is labeled puppet_tmp_t).
> 
> I wonder what it is exactly what is causing puppet to run mount.
> 
> Fedoras' puppet policy does not allow puppet to run mount and domain
> transition to mount_t.
> 
> I wonder why Fedoras' puppet seems to not need this access.

I guess it is because puppet_t is a unconfined domain.

Fedora should make these domains unconfined when the release goes stable
only imho.

> > Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> > ---
> >  policy/modules/system/mount.te |    4 ++++
> >  1 files changed, 4 insertions(+), 0 deletions(-)
> > 
> > diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> > index 1284081..ca9cdc0 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -191,6 +191,10 @@ optional_policy(`
> >  	')
> >  ')
> >  
> > +optional_policy(`
> > +	puppet_rw_tmp(mount_t)
> > +')
> > +
> >  # for kernel package installation
> >  optional_policy(`
> >  	rpm_rw_pipes(mount_t)
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110924/3184038a/attachment-0001.bin 


More information about the refpolicy mailing list