[refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t
Date: Tue, 27 Sep 2011 11:57:39 -0400	[thread overview]
Message-ID: <4E81F273.1090903@tresys.com> (raw)
In-Reply-To: <4E81E4A5.3040500@redhat.com>

On 09/27/11 10:58, Daniel J Walsh wrote:
> On 09/27/2011 09:29 AM, Christopher J. PeBenito wrote:
>> On 09/27/11 08:59, Daniel J Walsh wrote:

>>> The main point is admins are going to need to administrate their 
>>> systems with puppet, and they are going to do what needs to get
>>> done. Usually this is going to move towards and unconfined
>>> domain, especially for general purpose OS.  One problem with
>>> adding lots of transitions and allows to a puppet domain, is that
>>> it makes making a truly confined an controlled puppet_t very
>>> difficult.  For example if all I want to do is allow puppet_t to
>>> manage my apache content, and we add lots of transitions to
>>> things line mount_t we can not get a limited prived puppet_t.
> 
>> I don't understand how your example demonstrates a problem with
>> this approach.  To me, it seems like we agree.  People who want a
>> nice confined system aren't going to have unconfined anyway, so the
>> non-unconfined case need to have a reasonable use case.  For the
>> more general case, people will have the unconfined module, and
>> puppet will be unconfined.
> 
> I guess I am arguing not to add functionality to much functionality to
> puppet, so we have a tightly secured puppet, and then allow people who
> care about confining it to extend it.  Otherwise we will end up with a
> puppet policy that is somewhere in the middle, which does neither
> group any good.
> 
> For example, if you allow puppet to transition to useradd_t, mount_t,
> and the ability to write to security_t, then I can not write a more
> confined policy for my puppet from the reference policy.
> 
> I guess I would opt for Minimal puppet_t enough to let the service run
> and listen on the puppet port.  Maybe allow it to read system files.
> 
> And an unconfined_domain(puppet_t), for those of us who have no idea
> what puppet will do.

So what needs to be decided is where to draw the line.  I think we should look to something reasonable inside the base functionality.  The problem is that puppet's base support is already pretty broad.  I think the minimum we want is:

* edit etc_t files
* tunable: edit all config files

some other reasonable ones are:
* tunable: start & stop services
* tunable: toggle SELinux Booleans
* tunable: manage users & groups
* tunable: manage packages (eg run yum/rpm, etc.)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2011-09-27 15:57 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-24 13:56 [refpolicy] [PATCH 1/1] Mount output should be writeable to puppet_tmp_t Sven Vermeulen
2011-09-24 15:18 ` Dominick Grift
2011-09-24 15:22   ` Dominick Grift
2011-09-26 13:12     ` Daniel J Walsh
2011-09-26 14:22       ` Sven Vermeulen
2011-09-26 15:01         ` Daniel J Walsh
2011-09-26 15:11           ` Dominick Grift
2011-09-26 15:41             ` Daniel J Walsh
2011-09-26 18:31               ` Christopher J. PeBenito
2011-09-26 19:36                 ` Matt Thode
2011-09-27 12:59                   ` Daniel J Walsh
2011-09-27 13:17                     ` Matt Thode
2011-09-27 13:29                     ` Christopher J. PeBenito
2011-09-27 14:58                       ` Daniel J Walsh
2011-09-27 15:57                         ` Christopher J. PeBenito [this message]
2011-09-27 16:37                         ` Dominick Grift
2011-09-27 18:06                           ` Daniel J Walsh
2011-09-27 16:40                       ` Sven Vermeulen
2011-09-27 18:03                         ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E81F273.1090903@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.