how to allow one program to mount to /tmp?
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 7 16:48:21 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnny Tan wrote:
> I use puppet to do config management. It writes to /tmp/puppet.$$ files
> to capture the output of commands, then reads in from those tmp files
> after.
>
> It seems that when puppet attempts to do a mount command to /tmp,
> selinux is denying it.
>
First why are you using /tmp? This is a directory that random users can
write to. It should never be used from system space.
Please read...
Daemons "Just say no to using /tmp" ---
http://danwalsh.livejournal.com/11467.html
Sounds like this is a log file so why not put it in /var/log?
I believe mount can mount there now.
> When I do audit2allow, it comes up with this:
>
> ==
> require {
> type initrc_tmp_t;
> type mount_t;
> class file { read write };
> }
>
> #============= mount_t ==============
> allow mount_t initrc_tmp_t:file { read write };
> ==
>
>
> To me, this seems a bit broad. The above allows any program to mount to
> /tmp, right?
>
> How can I modify it such that only my puppet program is allowed, but
> continued to deny all others?
>
> johnn
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfRcc8ACgkQrlYvE4MpobP4EwCgrmVqTh7Y/xYLxRuioZSn0A+j
JnAAn1wiDiDhwMMiUtl5PU4TkJMqa/93
=6XKw
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list