On Mon, May 5, 2014 at 12:47 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> First off, I hope you realize that you still need to allow DAC
> permissions, meaning if users on the system were not allowed to edit
> these files with SELinux in permissive mode or disabled, they still
> would not be allowed to edit the files with SELinux in enforcing, no
> matter the label. You could add a group permissions to the /etc/puppet
> directory and allow users in that group to write. Another option would
> be to allow the users to use sudo to get access to this directory.
I probably wasn't clear in my initial description; using standard Unix
groups is what I'd already done, so the next step was how to get
SELinux to know what I was doing is OK :>
> If we want to leave the files labeled as puppet_etc_t, then simply
> adding a custom policy like
>
> # cat mystaff.te
> policy_module(mystaff,1.0)
> gen_require(`
> type staff_t, puppet_etc_t;
> ')
> manage_dirs_pattern(staff_t, puppet_etc_t, puppet_etc_t)
> manage_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)
> manage_lnk_files_pattern(staff_t, puppet_etc_t, puppet_etc_t)
>
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mystaff.pp
Worked perfectly, thanks!
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
