-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johnny Tan wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Johnny Tan wrote: >>> I use puppet to do config management. It writes to /tmp/puppet.$$ files >>> to capture the output of commands, then reads in from those tmp files >>> after. >>> >>> It seems that when puppet attempts to do a mount command to /tmp, >>> selinux is denying it. >>> >> First why are you using /tmp? This is a directory that random users can >> write to. It should never be used from system space. > > I agree, and I will file an enhancement request to the puppet dev to > change that. I think he chose /tmp because the file DOES get removed > after the command is run. > > But for the moment, it doesn't seem this can be set via config file. > > So I'm wondering if I can possibly load a module for now that allows > only puppet to mount to /tmp. > > johnn You would have to write a policy for puppet, which will probably need to be an unconfined domain. You could confine it, if you new exactly what puppet would do on your machine. You might need additional calls. Not knowing what puppet will do, here is a guess at a policy. cat mypuppet.te policy_module(mypuppet, 1.0) type mypuppet_t; type mypuppet_exec_t; init_system_domain(mypuppet_t, mypuppet_exec_t); type mypuppet_log_t files_type(mypuppet_log_t) # In order to get proper transitions to confined domains, puppet should use init scripts init_spec_domtrans_script(mypuppet_t) unconfined_domain(mypuppet_t) gen_requires(` attribute domain; ') append_files_pattern(domain, mypuppet_log_t) cat mypuppet.fc /usr/sbin/puppet -- gen_context(system_u:object_r:mypuppet_exec_t,s0) PATHTOMYPUPPET.LOG gen_context(system_u:object_r:mypuppet_log_t,s0) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfRiScACgkQrlYvE4MpobM7ZACghgKp5oPxpZ917nEBgT4+RN1i zCQAnAg/LNWbEt0kI8DO9u6fmcApxNbS =YQdr -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
