From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QgG8L-000484-OY for garchives@archives.gentoo.org; Mon, 11 Jul 2011 13:02:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 758EB21C0B4 for ; Mon, 11 Jul 2011 13:02:44 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5D9F221C081 for ; Mon, 11 Jul 2011 12:18:50 +0000 (UTC) Received: by ewy8 with SMTP id 8so1470593ewy.40 for ; Mon, 11 Jul 2011 05:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=oqGoKJxxxpENrmNsmn9arU1+ImFDAuNIh0GC4a/fmK4=; b=chL9mvN910TW4h0ztYihMoEck7vUWIrdWaxfsWCd3rkjCWeIYYLgnaO72heboYYz0k KnloF2/qdHZ8/Qg6nH4+3sHKhcgo3zol2tivefH/IXW4Gh7xBJbHJcDui5/rckj8pIEM Bo/78dnY2r/eF9ln4oKz7uOLKPWJ7i07HNUaY= Received: by 10.14.125.15 with SMTP id y15mr776398eeh.22.1310386728972; Mon, 11 Jul 2011 05:18:48 -0700 (PDT) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id k43sm1107838eea.14.2011.07.11.05.18.47 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 11 Jul 2011 05:18:47 -0700 (PDT) Sender: Sven Vermeulen Date: Mon, 11 Jul 2011 14:17:10 +0200 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] selinux puppet update for 2.6.8 Message-ID: <20110711121710.GA31439@siphos.be> References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: bafe95eed4534d0be48c157b2d15a3fa On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: > #============= puppet_t ============== > allow puppet_t initrc_notrans_exec_t:file execute; > allow puppet_t self:capability dac_read_search; These two I find a bit strange. When do you encounter the need for initrc_notrans_exec_t execute rights? I guess you're running rc-status or rc-update at that point? I can have it work using a puppet_t -> puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t) but this is not something you can do with audit2allow, so if the above was sufficient to make things work... Also, the dac_read_search capability is something that allows a root user to read/search files, even if the owner of those files isn't root. In regular DAC, this is "normal" (root can do everything) but not always necessary. If you do not allow this, what happens then? My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you want to test things out, you can subscribe to the overlay or put the necessary files in your own. [1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet Wkr, Sven Vermeulen