[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Puppet's use of tempfiles for capturing use of subprocess I/O
- From: Stephen Smalley <sds tycho nsa gov>
- To: "Sean E. Millichamp" <sean bruenor org>
- Cc: Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
- Subject: Re: Puppet's use of tempfiles for capturing use of subprocess I/O
- Date: Fri, 12 Sep 2008 14:28:34 -0400
On Fri, 2008-09-12 at 14:16 -0400, Sean E. Millichamp wrote:
> Between your explanation and Dan's sample policy and explanation I think
> I am starting to understand what is needed.
>
> So, to clarify, if I create the new puppet domain definition and policy
> correctly I theoretically won't even need to modify a line of Puppet
> code itself? It seems I have some more learning to do :)
Yes. Something along the lines of:
policy_module(puppet, 1.0)
type puppet_t;
type puppet_exec_t;
domain_type(puppet_t)
init_daemon_domain(puppet_t, puppet_exec_t)
role system_r types puppet_t;
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, file)
should get you started. And if your goal is to leave puppet completely
unrestricted, you can always add a:
optional_policy(`
unconfined_domain(puppet_t)
')
to leave it unrestricted in its own actions by SELinux.
> I think I am going to try this approach and see if I can come up with a
> policy that will cover a domain transition and the required labeling.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]