From 0c439004dbaff1e7c24457d2367ec6bbfc4375a4 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Tue, 18 Sep 2012 10:29:40 -0400 Subject: updated SELinux policy docs --- doc/server/plugins/grouping/metadata.txt | 2 ++ doc/server/plugins/probes/index.txt | 2 ++ doc/server/selinux.txt | 41 +++++++++++++++++++------------- 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/doc/server/plugins/grouping/metadata.txt b/doc/server/plugins/grouping/metadata.txt index 0a7d1780b..11039f219 100644 --- a/doc/server/plugins/grouping/metadata.txt +++ b/doc/server/plugins/grouping/metadata.txt @@ -107,6 +107,8 @@ but that is deprecated. For detailed information on client authentication see :ref:`appendix-guides-authentication` +.. _server-plugins-grouping-metadata-clients-database: + Clients Database ~~~~~~~~~~~~~~~~ diff --git a/doc/server/plugins/probes/index.txt b/doc/server/plugins/probes/index.txt index 3c19ced55..e0d572323 100644 --- a/doc/server/plugins/probes/index.txt +++ b/doc/server/plugins/probes/index.txt @@ -150,6 +150,8 @@ the client-specific one will be used. If you want to to detect information about the client operating system, the :ref:`server-plugins-probes-ohai` plugin can help. +.. _server-plugins-probes-data-storage: + Data Storage ============ diff --git a/doc/server/selinux.txt b/doc/server/selinux.txt index 40d5af9f6..e08b4aa66 100644 --- a/doc/server/selinux.txt +++ b/doc/server/selinux.txt @@ -24,22 +24,25 @@ unconfined.) It defines the following booleans: -+---------------------------+--------------------------------------------------+ -| Boolean Name | Description | -+===========================+==================================================+ -| bcfg2_server_exec_scripts | Allow the Bcfg2 server to execute scripts in | -| | ``unconfined_t``. This ability is limited to | -| | scripts in the ``bcfg2_server_script_exec_t`` | -| | context. If this boolean is off, then external | -| | server-side scripts will be run in | -| | ``bcfg2_server_t``, which is a fairly limited | -| | context. Consequently, this boolean should be | -| | on in order to meaningfully use the | -| | :ref:`server-plugins-misc-trigger` or | -| | :ref:`server-plugins-connectors-puppetenc` | -| | plugins, or Cfg | -| | :ref:`server-plugins-generators-cfg-validation`. | -+---------------------------+--------------------------------------------------+ ++-------------------------------------+-----------------------------------------+----------------------------------------------------------+---------+ +| Boolean Name | Description | Plugins Affected | Default | ++=====================================+=========================================+==========================================================+=========+ +| bcfg2_server_exec_scripts | Allow the Bcfg2 server to execute | :ref:`server-plugins-misc-trigger` and | off | +| | scripts in ``unconfined_t``. This | :ref:`server-plugins-connectors-puppetenc`, | | +| | ability is limited to scripts in the | and Cfg | | +| | ``bcfg2_server_script_exec_t`` context. | :ref:`server-plugins-generators-cfg-validation` | | +| | If this boolean is off, then external | | | +| | server-side scripts will be run in | | | +| | ``bcfg2_server_t``, which is a fairly | | | +| | limited context. | | | ++-------------------------------------+-----------------------------------------+----------------------------------------------------------+---------+ +| bcfg2_server_can_network_connect_db | Allow the Bcfg2 server to connect to | :ref:`server-plugins-statistics-dbstats`, the | off | +| | databases (e.g., MySQL and PostgreSQL) | :ref:`server-plugins-grouping-metadata-clients-database` | | +| | | feature of Metadata, and the database | | +| | | :ref:`server-plugins-probes-data-storage` | | +| | | feature of Probes | | ++-------------------------------------+-----------------------------------------+----------------------------------------------------------+---------+ + It also defines the following SELinux types: @@ -77,10 +80,14 @@ It also defines the following SELinux types: +----------------------------+-------------------------------------------------+ | bcfg2_conf_t | The context of bcfg2.conf | +----------------------------+-------------------------------------------------+ +| bcfg2_tmp_t | The context of temp files created by the Bcfg2 | +| | server | ++----------------------------+-------------------------------------------------+ If you do run your server in enforcing mode, it is highly recommend that you run ``restorecon -R /var/lib/bcfg2`` every time you update -the content in that directory. +the content in that directory, particularly if you are using plugins +that execute arbitrary scripts. .. _server-selinux-entries: -- cgit v1.2.3-1-g7c22