Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Matthew Thode <mthode@××××××.org>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] selinux puppet update for 2.6.8
Date: Mon, 11 Jul 2011 14:03:56
Message-Id: CA40617A.291B%mthode@mthode.org
In Reply to: Re: [gentoo-hardened] selinux puppet update for 2.6.8 by Sven Vermeulen
1 You can use puppet to manage services (make sure they are running and in
2 the proper runlevel). What I emailed you worked for me.
3 exec_no_trans is required for rc-update
4
5 type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans }
6 for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033
7 scontext=system_u:system_r:puppet_t
8 tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file
9
10 I don't see selinux-puppet-2.20101213-r1 in the overlay.
11
12 -- Matthew Thode
13
14 On 7/11/11 7:17 AM, "Sven Vermeulen" <sven.vermeulen@××××××.be> wrote:
15
16 >On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
17 >> #============= puppet_t ==============
18 >> allow puppet_t initrc_notrans_exec_t:file execute;
19 >> allow puppet_t self:capability dac_read_search;
20 >
21 >These two I find a bit strange. When do you encounter the need for
22 >initrc_notrans_exec_t execute rights? I guess you're running rc-status or
23 >rc-update at that point? I can have it work using a puppet_t ->
24 >puppet_initrc_notrans_t -> puppet_t transition set (like we do for
25 >sysadm_t)
26 >but this is not something you can do with audit2allow, so if the above was
27 >sufficient to make things work...
28 >
29 >Also, the dac_read_search capability is something that allows a root user
30 >to
31 >read/search files, even if the owner of those files isn't root. In regular
32 >DAC, this is "normal" (root can do everything) but not always necessary.
33 >If
34 >you do not allow this, what happens then?
35 >
36 >My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
37 >want to test things out, you can subscribe to the overlay or put the
38 >necessary files in your own.
39 >
40 >[1]
41 >https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6
42 >285189a1d9fa27/sec-policy/selinux-puppet
43 >
44 >Wkr,
45 > Sven Vermeulen
46 >
Report Message
Find on MARC Find on Google Groups