Puppet's use of tempfiles for capturing use of subprocess I/O
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 12 18:28:34 UTC 2008
On Fri, 2008-09-12 at 14:16 -0400, Sean E. Millichamp wrote:
> Between your explanation and Dan's sample policy and explanation I think
> I am starting to understand what is needed.
>
> So, to clarify, if I create the new puppet domain definition and policy
> correctly I theoretically won't even need to modify a line of Puppet
> code itself? It seems I have some more learning to do :)
Yes. Something along the lines of:
policy_module(puppet, 1.0)
type puppet_t;
type puppet_exec_t;
domain_type(puppet_t)
init_daemon_domain(puppet_t, puppet_exec_t)
role system_r types puppet_t;
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, file)
should get you started. And if your goal is to leave puppet completely
unrestricted, you can always add a:
optional_policy(`
unconfined_domain(puppet_t)
')
to leave it unrestricted in its own actions by SELinux.
> I think I am going to try this approach and see if I can come up with a
> policy that will cover a domain transition and the required labeling.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list