[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 26 08:12:59 CDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 09/24/2011 11:22 AM, Dominick Grift wrote:
> On Sat, 2011-09-24 at 17:18 +0200, Dominick Grift wrote:
>> On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
>>> When using puppet to configure systems, the puppet system runs
>>> the mount command and captures its output in a temporary file
>>> in /tmp (which is labeled puppet_tmp_t).
>> I wonder what it is exactly what is causing puppet to run mount.
>> Fedoras' puppet policy does not allow puppet to run mount and
>> domain transition to mount_t.
>> I wonder why Fedoras' puppet seems to not need this access.
> I guess it is because puppet_t is a unconfined domain.
> Fedora should make these domains unconfined when the release goes
> stable only imho.
>>> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be> ---
>>> policy/modules/system/mount.te | 4 ++++ 1 files changed, 4
>>> insertions(+), 0 deletions(-)
>>> diff --git a/policy/modules/system/mount.te
>>> b/policy/modules/system/mount.te index 1284081..ca9cdc0 100644
>>> --- a/policy/modules/system/mount.te +++
>>> b/policy/modules/system/mount.te @@ -191,6 +191,10 @@
>>> optional_policy(` ') ')
>>> +optional_policy(` + puppet_rw_tmp(mount_t) +') + # for kernel
>>> package installation optional_policy(` rpm_rw_pipes(mount_t)
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
We usually go from permissive to unconfined when we try to spin off to
beta. But making puppet confined is probably a waste of time anyways,
since it pretty much needs to be able to do anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the refpolicy