-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnny Tan wrote:
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Johnny Tan wrote:
>> I use puppet to do config management. It writes to /tmp/puppet.$$ files
>> to capture the output of commands, then reads in from those tmp files
>> after.
>>
>> It seems that when puppet attempts to do a mount command to /tmp,
>> selinux is denying it.
>>
> First why are you using /tmp? This is a directory that random users can
> write to. It should never be used from system space.
I agree, and I will file an enhancement request to the puppet dev to
change that. I think he chose /tmp because the file DOES get removed
after the command is run.
But for the moment, it doesn't seem this can be set via config file.
So I'm wondering if I can possibly load a module for now that allows
only puppet to mount to /tmp.
johnn
You would have to write a policy for puppet, which will probably need to
be an unconfined domain. You could confine it, if you new exactly what
puppet would do on your machine. You might need additional calls. Not
knowing what puppet will do, here is a guess at a policy.
cat mypuppet.te
policy_module(mypuppet, 1.0)
type mypuppet_t;
type mypuppet_exec_t;
init_system_domain(mypuppet_t, mypuppet_exec_t);
type mypuppet_log_t
files_type(mypuppet_log_t)
# In order to get proper transitions to confined domains, puppet should
use init scripts
init_spec_domtrans_script(mypuppet_t)
unconfined_domain(mypuppet_t)
gen_requires(`
attribute domain;
')
append_files_pattern(domain, mypuppet_log_t)
cat mypuppet.fc
/usr/sbin/puppet -- gen_context(system_u:object_r:mypuppet_exec_t,s0)
PATHTOMYPUPPET.LOG gen_context(system_u:object_r:mypuppet_log_t,s0)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkfRiScACgkQrlYvE4MpobM7ZACghgKp5oPxpZ917nEBgT4+RN1i
zCQAnAg/LNWbEt0kI8DO9u6fmcApxNbS
=YQdr
-----END PGP SIGNATURE-----