From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QgH5V-00062l-Os for garchives@archives.gentoo.org; Mon, 11 Jul 2011 14:03:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EF0F821C2C2 for ; Mon, 11 Jul 2011 14:03:52 +0000 (UTC) Received: from mx1.mthode.org (rrcs-24-173-105-85.sw.biz.rr.com [24.173.105.85]) by pigeon.gentoo.org (Postfix) with ESMTP id 97B3E21C048 for ; Mon, 11 Jul 2011 13:25:53 +0000 (UTC) Received: from [10.6.60.115] (unknown [64.39.4.132]) (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by mx1.mthode.org (Postfix) with ESMTPSA id B963711E4 for ; Mon, 11 Jul 2011 09:25:51 -0400 (EDT) User-Agent: Microsoft-MacOutlook/14.10.0.110310 Date: Mon, 11 Jul 2011 08:25:48 -0500 Subject: Re: [gentoo-hardened] selinux puppet update for 2.6.8 From: Matthew Thode To: Message-ID: Thread-Topic: [gentoo-hardened] selinux puppet update for 2.6.8 In-Reply-To: <20110711121710.GA31439@siphos.be> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Archives-Salt: X-Archives-Hash: 8ac9c70ad74ad868cf5086697b665791 You can use puppet to manage services (make sure they are running and in the proper runlevel). What I emailed you worked for me. exec_no_trans is required for rc-update type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans } for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file I don't see selinux-puppet-2.20101213-r1 in the overlay. -- Matthew Thode On 7/11/11 7:17 AM, "Sven Vermeulen" wrote: >On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: >> #============= puppet_t ============== >> allow puppet_t initrc_notrans_exec_t:file execute; >> allow puppet_t self:capability dac_read_search; > >These two I find a bit strange. When do you encounter the need for >initrc_notrans_exec_t execute rights? I guess you're running rc-status or >rc-update at that point? I can have it work using a puppet_t -> >puppet_initrc_notrans_t -> puppet_t transition set (like we do for >sysadm_t) >but this is not something you can do with audit2allow, so if the above was >sufficient to make things work... > >Also, the dac_read_search capability is something that allows a root user >to >read/search files, even if the owner of those files isn't root. In regular >DAC, this is "normal" (root can do everything) but not always necessary. >If >you do not allow this, what happens then? > >My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you >want to test things out, you can subscribe to the overlay or put the >necessary files in your own. > >[1] >https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6 >285189a1d9fa27/sec-policy/selinux-puppet > >Wkr, > Sven Vermeulen >