| 1 |
On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: |
| 2 |
> #============= puppet_t ============== |
| 3 |
> allow puppet_t initrc_notrans_exec_t:file execute; |
| 4 |
> allow puppet_t self:capability dac_read_search; |
| 5 |
|
| 6 |
These two I find a bit strange. When do you encounter the need for |
| 7 |
initrc_notrans_exec_t execute rights? I guess you're running rc-status or |
| 8 |
rc-update at that point? I can have it work using a puppet_t -> |
| 9 |
puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t) |
| 10 |
but this is not something you can do with audit2allow, so if the above was |
| 11 |
sufficient to make things work... |
| 12 |
|
| 13 |
Also, the dac_read_search capability is something that allows a root user to |
| 14 |
read/search files, even if the owner of those files isn't root. In regular |
| 15 |
DAC, this is "normal" (root can do everything) but not always necessary. If |
| 16 |
you do not allow this, what happens then? |
| 17 |
|
| 18 |
My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you |
| 19 |
want to test things out, you can subscribe to the overlay or put the |
| 20 |
necessary files in your own. |
| 21 |
|
| 22 |
[1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet |
| 23 |
|
| 24 |
Wkr, |
| 25 |
Sven Vermeulen |
Archives