Re: how to allow one program to mount to /tmp?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnny Tan wrote:
> I use puppet to do config management. It writes to /tmp/puppet.$$ files
> to capture the output of commands, then reads in from those tmp files
> after.
> 
> It seems that when puppet attempts to do a mount command to /tmp,
> selinux is denying it.
> 
First why are you using /tmp?  This is a directory that random users can
write to.  It should never be used from system space.

Please read...

Daemons "Just say no to using /tmp" ---
http://danwalsh.livejournal.com/11467.html

Sounds like this is a log file so why not put it in /var/log?
I believe mount can mount there now.


> When I do audit2allow, it comes up with this:
> 
> ==
> require {
>         type initrc_tmp_t;
>         type mount_t;
>         class file { read write };
> }
> 
> #============= mount_t ==============
> allow mount_t initrc_tmp_t:file { read write };
> ==
> 
> 
> To me, this seems a bit broad. The above allows any program to mount to
> /tmp, right?
> 
> How can I modify it such that only my puppet program is allowed, but
> continued to deny all others?
> 
> johnn
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfRcc8ACgkQrlYvE4MpobP4EwCgrmVqTh7Y/xYLxRuioZSn0A+j
JnAAn1wiDiDhwMMiUtl5PU4TkJMqa/93
=6XKw
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux