On Fri, 2008-09-12 at 11:58 -0400, Sean E. Millichamp wrote: > On Fri, 2008-09-12 at 09:43 -0400, Stephen Smalley wrote: > > > puppet should run in its own domain, and the files created for output > > should have their own distinct type devoted to this purpose, so that you > > don't open up access to other files in /tmp unwittingly. That can be > > done via policy rules for all files created by puppet in /tmp or via > > explicit calls to setfscreatecon(3) or setfilecon(3) by puppet for only > > the specific output files. > > Hi Stephen, thanks for your reply. > > Well, as I understand it, putting Puppet in its own domain and labeling > the /tmp files so Puppet can only read them and not other files in /tmp > would certainly be a good thing, but doesn't address my problem. That isn't what I meant. I said to put puppet in its domain so that the policy rules can define a type for files it creates in /tmp that are different than the type used by any other process, and then we can allow all service domains to read that new type created only by puppet w/o exposing the temporary files of any other process to such access. See the difference? What domain does puppet run in presently, initrc_t? > I'm > just starting to spend time interacting with SELinux so if I am > completely misunderstanding something please be patient. > > My problem (in this case) isn't that I want to confine Puppet (that is a > different project for a different day - maybe), it is that those /tmp > files Puppet creates and attaches to arbitrary process STDOUT/STDERR > streams have to be writable by any process in any domain. Precisely - which means they need their own type. And the easiest way to ensure that goal is to put puppet into its own domain and define a file type transition from that domain on tmp_t:dir such that any /tmp files created by puppet get that type automatically. > Any > service/command you would run on the command line should be available to > an admin via Puppet, but in this case instead of sending their output to > a tty they are sending it to a file. > > Basically, I want to be able to do this: > - create the temporary file > - chcon the temporary file to allow_all_domains_to_write_to_me_t This step becomes unnecessary if we put puppet into its own domain and define a file type transition to a new type, say puppet_tmp_t when creating files in /tmp, and then the puppet policy can say "allow domain puppet_tmp_t:file { read write getattr append };" > This sounds like exactly what I need, except unfortunately I need > something that will work on existing and older distributions. Is there > anyway I can simulate that behavior now with existing SELinux > implementations? The approach above will work for existing distributions but will allow the service domains to potentially open other files created by puppet in /tmp as well (but not open arbitrary /tmp files created by other processes). Then in newer distributions where the new open permission is enabled in policy, the service domains will not be able to open other files created by puppet in /tmp other than the one handed to them due to the checking of the new open permission. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list