-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johnny Tan wrote: > I use puppet to do config management. It writes to /tmp/puppet.$$ files > to capture the output of commands, then reads in from those tmp files > after. > > It seems that when puppet attempts to do a mount command to /tmp, > selinux is denying it. > First why are you using /tmp? This is a directory that random users can write to. It should never be used from system space. Please read... Daemons "Just say no to using /tmp" --- http://danwalsh.livejournal.com/11467.html Sounds like this is a log file so why not put it in /var/log? I believe mount can mount there now. > When I do audit2allow, it comes up with this: > > == > require { > type initrc_tmp_t; > type mount_t; > class file { read write }; > } > > #============= mount_t ============== > allow mount_t initrc_tmp_t:file { read write }; > == > > > To me, this seems a bit broad. The above allows any program to mount to > /tmp, right? > > How can I modify it such that only my puppet program is allowed, but > continued to deny all others? > > johnn > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfRcc8ACgkQrlYvE4MpobP4EwCgrmVqTh7Y/xYLxRuioZSn0A+j JnAAn1wiDiDhwMMiUtl5PU4TkJMqa/93 =6XKw -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
