1 |
On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: |
2 |
> #============= puppet_t ============== |
3 |
> allow puppet_t initrc_notrans_exec_t:file execute; |
4 |
> allow puppet_t self:capability dac_read_search; |
5 |
|
6 |
These two I find a bit strange. When do you encounter the need for |
7 |
initrc_notrans_exec_t execute rights? I guess you're running rc-status or |
8 |
rc-update at that point? I can have it work using a puppet_t -> |
9 |
puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t) |
10 |
but this is not something you can do with audit2allow, so if the above was |
11 |
sufficient to make things work... |
12 |
|
13 |
Also, the dac_read_search capability is something that allows a root user to |
14 |
read/search files, even if the owner of those files isn't root. In regular |
15 |
DAC, this is "normal" (root can do everything) but not always necessary. If |
16 |
you do not allow this, what happens then? |
17 |
|
18 |
My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you |
19 |
want to test things out, you can subscribe to the overlay or put the |
20 |
necessary files in your own. |
21 |
|
22 |
[1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet |
23 |
|
24 |
Wkr, |
25 |
Sven Vermeulen |