Issue #3033 has been updated by Todd Zullinger.
Markus, using another directory would indeed help ease SELinux concerns AFAIK. As Dan Walsh (the main selinux-policy maintainer for RHEL and Fedora noted in "Fedora bug #553565":https://bugzilla.redhat.com/show_bug.cgi?id=553565: > Make it simple, if you are running a process as root, DONT write to a > directory where processes running as NON ROOT can muck around. UNLESS it > is APSOLUTELY Necessary. > > Users are evil. :^) A similar bug is what prompted us to inquire about tightening the permissions on /var/run/puppet, which defaults to 1777. We now patch that in the packages for Fedora and EPEL, as we can ensure that the needed user/group exists. If puppet were to use a dir that only the puppet user had write access to for such files, I believe that would allow selinux-policy to allow the actions it is now denying. If everything using files in /tmp used the Tempfile module, we could perhaps even just set the TMPDIR env variable and make it easily configurable for folks. ---------------------------------------- Bug #3033: Using temporary files in /tmp to comunicate with child processes is problematic in SELinux http://projects.reductivelabs.com/issues/3033 Author: Markus Roberts Status: Investigating Priority: Normal Assigned to: Category: exec Target version: 0.25.4 Affected version: 0.25.2 Keywords: Branch: The present approach is necessitated by the more common / severe locking and race conditions that arise when trying to implement a cross-platform solution based on pipes (see related tickets, below). There are two possible solutions here, both should be explored: * Try to diagnose why the code developed on #3013 failed as described on #3025 * Perhaps more pragmatically, see if moving the temp files presently used in lieu of pipes to some other directory would placate SELinux. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
