[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t

Daniel J Walsh dwalsh at redhat.com
Mon Sep 26 10:01:58 CDT 2011

Hash: SHA1

On 09/26/2011 10:22 AM, Sven Vermeulen wrote:
> On Mon, Sep 26, 2011 at 09:12:59AM -0400, Daniel J Walsh wrote:
>> We usually go from permissive to unconfined when we try to spin
>> off to beta.  But making puppet confined is probably a waste of
>> time anyways, since it pretty much needs to be able to do
>> anything.
> I disagree. Even powerful domains should be confined. I'd
> personally like to go even further and make sure that the policy is
> flexible enough to deal with limited use - for instance, if I use
> puppet only for ensuring mounts, then it should not be able to
> reload selinux policies (or transition to domains that can).
> Although we are definitely not there yet, I believe that we should
> at least first see how confining puppet goes.
> Once a more complete policy is found, we can see if this can be
> segregated nicely.
> Furthermore, the puppet policy itself has most of its "power"
> through domain transitions, not through elevated privileges on the
> puppet_t domain itself. Although remote command execution is still
> exploitable through this, making puppet SELinux-aware might help to
> reduce attacks there as well.
> Wkr, Sven Vermeulen 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy

My point being that it is very difficult to make a policy for the
masses that will work with a domain that can place files anywhere and
even needs to be able to turn on and off SELinux. Setting booleans,
file_context, policy modules, are all things that puppet does within
the Fedora infrastructure.

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the refpolicy mailing list