Puppet's use of tempfiles for capturing use of subprocess I/O

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 12 17:33:03 UTC 2008 

On Fri, 2008-09-12 at 11:58 -0400, Sean E. Millichamp wrote:
> On Fri, 2008-09-12 at 09:43 -0400, Stephen Smalley wrote:
> 
> > puppet should run in its own domain, and the files created for output
> > should have their own distinct type devoted to this purpose, so that you
> > don't open up access to other files in /tmp unwittingly.  That can be
> > done via policy rules for all files created by puppet in /tmp or via
> > explicit calls to setfscreatecon(3) or setfilecon(3) by puppet for only
> > the specific output files.
> 
> Hi Stephen, thanks for your reply.
> 
> Well, as I understand it, putting Puppet in its own domain and labeling
> the /tmp files so Puppet can only read them and not other files in /tmp
> would certainly be a good thing, but doesn't address my problem.

That isn't what I meant.  I said to put puppet in its domain so that the
policy rules can define a type for files it creates in /tmp that are
different than the type used by any other process, and then we can allow
all service domains to read that new type created only by puppet w/o
exposing the temporary files of any other process to such access.  See
the difference?  What domain does puppet run in presently, initrc_t?

>   I'm
> just starting to spend time interacting with SELinux so if I am
> completely misunderstanding something please be patient.
> 
> My problem (in this case) isn't that I want to confine Puppet (that is a
> different project for a different day - maybe), it is that those /tmp
> files Puppet creates and attaches to arbitrary process STDOUT/STDERR
> streams have to be writable by any process in any domain.

Precisely - which means they need their own type.  And the easiest way
to ensure that goal is to put puppet into its own domain and define a
file type transition from that domain on tmp_t:dir such that any /tmp
files created by puppet get that type automatically.

>   Any
> service/command you would run on the command line should be available to
> an admin via Puppet, but in this case instead of sending their output to
> a tty they are sending it to a file.
> 
> Basically, I want to be able to do this:
>  - create the temporary file
>  - chcon the temporary file to allow_all_domains_to_write_to_me_t

This step becomes unnecessary if we put puppet into its own domain and
define a file type transition to a new type, say puppet_tmp_t when
creating files in /tmp, and then the puppet policy can say "allow domain
puppet_tmp_t:file { read write getattr append };"

> This sounds like exactly what I need, except unfortunately I need
> something that will work on existing and older distributions.  Is there
> anyway I can simulate that behavior now with existing SELinux
> implementations?

The approach above will work for existing distributions but will allow
the service domains to potentially open other files created by puppet
in /tmp as well (but not open arbitrary /tmp files created by other
processes).  Then in newer distributions where the new open permission
is enabled in policy, the service domains will not be able to open other
files created by puppet in /tmp other than the one handed to them due to
the checking of the new open permission.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list