[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t

Daniel J Walsh dwalsh at redhat.com
Mon Sep 26 08:12:59 CDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2011 11:22 AM, Dominick Grift wrote:
> On Sat, 2011-09-24 at 17:18 +0200, Dominick Grift wrote:
>> On Sat, 2011-09-24 at 15:56 +0200, Sven Vermeulen wrote:
>>> When using puppet to configure systems, the puppet system runs 
>>> the mount command and captures its output in a temporary file 
>>> in /tmp (which is labeled puppet_tmp_t).
>> 
>> I wonder what it is exactly what is causing puppet to run mount.
>> 
>> Fedoras' puppet policy does not allow puppet to run mount and 
>> domain transition to mount_t.
>> 
>> I wonder why Fedoras' puppet seems to not need this access.
> 
> I guess it is because puppet_t is a unconfined domain.
> 
> Fedora should make these domains unconfined when the release goes 
> stable only imho.
> 
>>> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be> --- 
>>> policy/modules/system/mount.te |    4 ++++ 1 files changed, 4 
>>> insertions(+), 0 deletions(-)
>>> 
>>> diff --git a/policy/modules/system/mount.te 
>>> b/policy/modules/system/mount.te index 1284081..ca9cdc0 100644
>>>  --- a/policy/modules/system/mount.te +++ 
>>> b/policy/modules/system/mount.te @@ -191,6 +191,10 @@ 
>>> optional_policy(` ') ')
>>> 
>>> +optional_policy(` +	puppet_rw_tmp(mount_t) +') + # for kernel 
>>> package installation optional_policy(` rpm_rw_pipes(mount_t)
>> 
> 
> 
> 
> _______________________________________________ refpolicy mailing 
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy

We usually go from permissive to unconfined when we try to spin off to
beta.  But making puppet confined is probably a waste of time anyways,
since it pretty much needs to be able to do anything.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6AelcACgkQrlYvE4MpobOFxgCgiIRTIsTF1kNkllm2D2/Po99O
LqQAoL3xMud++w5zys4HzoIIk6954pfs
=dJax
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list