On Fri, 2008-09-12 at 14:16 -0400, Sean E. Millichamp wrote: > Between your explanation and Dan's sample policy and explanation I think > I am starting to understand what is needed. > > So, to clarify, if I create the new puppet domain definition and policy > correctly I theoretically won't even need to modify a line of Puppet > code itself? It seems I have some more learning to do :) Yes. Something along the lines of: policy_module(puppet, 1.0) type puppet_t; type puppet_exec_t; domain_type(puppet_t) init_daemon_domain(puppet_t, puppet_exec_t) role system_r types puppet_t; type puppet_tmp_t; files_tmp_file(puppet_tmp_t) files_tmp_filetrans(puppet_t, puppet_tmp_t, file) should get you started. And if your goal is to leave puppet completely unrestricted, you can always add a: optional_policy(` unconfined_domain(puppet_t) ') to leave it unrestricted in its own actions by SELinux. > I think I am going to try this approach and see if I can come up with a > policy that will cover a domain transition and the required labeling. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
