how to allow one program to mount to /tmp?

Daniel J Walsh dwalsh at redhat.com
Fri Mar 7 18:27:58 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnny Tan wrote:
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Johnny Tan wrote:
>>> I use puppet to do config management. It writes to /tmp/puppet.$$ files
>>> to capture the output of commands, then reads in from those tmp files
>>> after.
>>>
>>> It seems that when puppet attempts to do a mount command to /tmp,
>>> selinux is denying it.
>>>
>> First why are you using /tmp?  This is a directory that random users can
>> write to.  It should never be used from system space.
> 
> I agree, and I will file an enhancement request to the puppet dev to
> change that. I think he chose /tmp because the file DOES get removed
> after the command is run.
> 
> But for the moment, it doesn't seem this can be set via config file.
> 
> So I'm wondering if I can possibly load a module for now that allows
> only puppet to mount to /tmp.
> 
> johnn
You would have to write a policy for puppet, which will probably need to
be an unconfined domain.  You could confine it, if you new exactly what
puppet would do on your machine.  You might need additional calls.  Not
knowing what puppet will do, here is a guess at a policy.



cat mypuppet.te
policy_module(mypuppet, 1.0)
type mypuppet_t;
type mypuppet_exec_t;
init_system_domain(mypuppet_t, mypuppet_exec_t);
type mypuppet_log_t
files_type(mypuppet_log_t)

# In order to get proper transitions to confined domains, puppet should
use init scripts
init_spec_domtrans_script(mypuppet_t)

unconfined_domain(mypuppet_t)

gen_requires(`
	attribute domain;
')
append_files_pattern(domain, mypuppet_log_t)




cat mypuppet.fc
/usr/sbin/puppet		--	gen_context(system_u:object_r:mypuppet_exec_t,s0)
PATHTOMYPUPPET.LOG gen_context(system_u:object_r:mypuppet_log_t,s0)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfRiScACgkQrlYvE4MpobM7ZACghgKp5oPxpZ917nEBgT4+RN1i
zCQAnAg/LNWbEt0kI8DO9u6fmcApxNbS
=YQdr
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list