diff --git a/booleans.subs_dist b/booleans.subs_dist index 249f12d..d4ff62c 100644 --- a/booleans.subs_dist +++ b/booleans.subs_dist @@ -50,4 +50,4 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm clamd_use_jit antivirus_use_jit amavis_use_jit antivirus_use_jit logwatch_can_sendmail logwatch_can_network_connect_mail -puppetmaster_use_db puppet_use_db +puppet_manage_all_files puppetagent_manage_all_files diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2f410dd..b511649 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -59572,7 +59572,7 @@ index bf59ef7..0ec51d4 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 08ec33b..12f6357 100644 +index 08ec33b..24ce7e8 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -59664,7 +59664,7 @@ index 08ec33b..12f6357 100644 +') + +optional_policy(` -+ puppet_domtrans(passenger_t) ++ puppet_domtrans_master(passenger_t) + puppet_manage_lib(passenger_t) puppet_read_config(passenger_t) - puppet_append_log_files(passenger_t) @@ -69391,29 +69391,37 @@ index 6643b49..1d2470f 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..94b9e8e 100644 +index d68e26d..f734388 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,10 @@ +@@ -1,18 +1,20 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -+/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) ++/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0) ++#helper scripts ++/usr/bin/puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/bin/puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -- ++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -- ++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) - -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) @@ -69421,10 +69429,10 @@ index d68e26d..94b9e8e 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..6357588 100644 +index 7cb8b1f..9422c90 100644 --- a/puppet.if +++ b/puppet.if -@@ -1,4 +1,50 @@ +@@ -1,4 +1,32 @@ -## Configuration management system. +## Puppet client daemon +## @@ -69436,47 +69444,29 @@ index 7cb8b1f..6357588 100644 +##

+##
+ -+####################################### -+## -+## Execute puppet_master in the puppet_master -+## domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`puppet_domtrans_master',` -+ gen_require(` -+ type puppetmaster_t, puppetmaster_exec_t; -+ ') -+ refpolicywarn(`$0($*) has been deprecated.') -+') -+ +######################################## +## -+## Execute puppet in the puppet -+## domain. ++## Execute puppet_master in the puppet_master ++## domain. +## +## +## -+## Domain allowed to transition. ++## Domain allowed to transition. +## +## +# -+interface(`puppet_domtrans',` -+ gen_require(` -+ type puppet_t, puppet_exec_t; -+ ') ++interface(`puppet_domtrans_master',` ++ gen_require(` ++ type puppetmaster_t, puppetmaster_exec_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, puppet_exec_t, puppet_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) +') ######################################## ## -@@ -40,16 +86,19 @@ interface(`puppet_domtrans_puppetca',` +@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` # interface(`puppet_run_puppetca',` gen_require(` @@ -69500,7 +69490,7 @@ index 7cb8b1f..6357588 100644 ## ## ## -@@ -57,15 +106,13 @@ interface(`puppet_run_puppetca',` +@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` ## ## # @@ -69520,7 +69510,7 @@ index 7cb8b1f..6357588 100644 ') ################################################ -@@ -78,158 +125,164 @@ interface(`puppet_read_config',` +@@ -78,158 +107,164 @@ interface(`puppet_read_config',` ## ## # @@ -69694,15 +69684,15 @@ index 7cb8b1f..6357588 100644 -## -## Domain allowed access. -## --## --## --## --## Role allowed access. --## +## +## Domain allowed access. +## ## +-## +-## +-## Role allowed access. +-## +-## -## # -interface(`puppet_admin',` @@ -69712,14 +69702,14 @@ index 7cb8b1f..6357588 100644 - type puppet_var_run_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') +- +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) +interface(`puppet_manage_log',` + gen_require(` + type puppet_log_t; + ') -- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) -- - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; @@ -69780,10 +69770,10 @@ index 7cb8b1f..6357588 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..ca66457 100644 +index 618dcfe..0903e67 100644 --- a/puppet.te +++ b/puppet.te -@@ -6,25 +6,31 @@ policy_module(puppet, 1.4.0) +@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) # ## @@ -69796,7 +69786,8 @@ index 618dcfe..ca66457 100644 +## types. +##

##
- gen_tunable(puppet_manage_all_files, false) +-gen_tunable(puppet_manage_all_files, false) ++gen_tunable(puppetagent_manage_all_files, false) -attribute_role puppetca_roles; -roleattribute system_r puppetca_roles; @@ -69805,25 +69796,29 @@ index 618dcfe..ca66457 100644 +## Allow Puppet master to use connect to MySQL and PostgreSQL database +##

+## -+gen_tunable(puppet_use_db, false) ++gen_tunable(puppetmaster_use_db, false) - type puppet_t; - type puppet_exec_t; - init_daemon_domain(puppet_t, puppet_exec_t) +-type puppet_t; +-type puppet_exec_t; +-init_daemon_domain(puppet_t, puppet_exec_t) ++type puppetagent_t; ++type puppetagent_exec_t; ++typealias puppetagent_exec_t alias puppet_exec_t; ++typealias puppetagent_t alias puppet_t; ++init_daemon_domain(puppetagent_t, puppetagent_exec_t) -+typealias puppet_t alias puppetmaster_t; -+ type puppet_etc_t; files_config_file(puppet_etc_t) -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) -+type puppet_unit_file_t; -+systemd_unit_file(puppet_unit_file_t) ++type puppetagent_initrc_exec_t; ++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t; ++init_script_file(puppetagent_initrc_exec_t) type puppet_log_t; logging_log_file(puppet_log_t) -@@ -37,52 +43,37 @@ files_type(puppet_var_lib_t) +@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t) type puppet_var_run_t; files_pid_file(puppet_var_run_t) @@ -69833,18 +69828,12 @@ index 618dcfe..ca66457 100644 type puppetca_exec_t; application_domain(puppetca_t, puppetca_exec_t) -role puppetca_roles types puppetca_t; -- --type puppetmaster_t; --type puppetmaster_exec_t; --init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) -- --type puppetmaster_initrc_exec_t; --init_script_file(puppetmaster_initrc_exec_t) -- --type puppetmaster_tmp_t; --files_tmp_file(puppetmaster_tmp_t) +role system_r types puppetca_t; + type puppetmaster_t; + type puppetmaster_exec_t; +@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t) + ######################################## # -# Local policy @@ -69852,146 +69841,254 @@ index 618dcfe..ca66457 100644 # -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; -+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; - allow puppet_t self:process { signal signull getsched setsched }; - allow puppet_t self:fifo_file rw_fifo_file_perms; - allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +-allow puppet_t self:process { signal signull getsched setsched }; +-allow puppet_t self:fifo_file rw_fifo_file_perms; +-allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket { accept listen }; -+allow puppet_t self:tcp_socket create_stream_socket_perms; - allow puppet_t self:udp_socket create_socket_perms; - +-allow puppet_t self:udp_socket create_socket_perms; +- -allow puppet_t puppet_etc_t:dir list_dir_perms; -allow puppet_t puppet_etc_t:file read_file_perms; -allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; -+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) - - manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) - manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +- +-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -can_exec(puppet_t, puppet_var_lib_t) -+files_search_var_lib(puppet_t) - +- -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - +-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) +- -allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) - create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) - logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - - manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -@@ -91,43 +82,38 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - - kernel_dontaudit_search_sysctl(puppet_t) - kernel_dontaudit_search_kernel_sysctl(puppet_t) -+kernel_read_system_state(puppet_t) - kernel_read_crypto_sysctls(puppet_t) - kernel_read_kernel_sysctls(puppet_t) +-logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) +- +-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +- +-kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) +-kernel_read_crypto_sysctls(puppet_t) +-kernel_read_kernel_sysctls(puppet_t) -kernel_read_net_sysctls(puppet_t) -kernel_read_network_state(puppet_t) - -+corecmd_read_all_executables(puppet_t) -+corecmd_dontaudit_access_all_executables(puppet_t) - corecmd_exec_bin(puppet_t) - corecmd_exec_shell(puppet_t) +- +-corecmd_exec_bin(puppet_t) +-corecmd_exec_shell(puppet_t) -corecmd_read_all_executables(puppet_t) - - corenet_all_recvfrom_netlabel(puppet_t) +- +-corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) - corenet_tcp_sendrecv_generic_if(puppet_t) - corenet_tcp_sendrecv_generic_node(puppet_t) +-corenet_tcp_sendrecv_generic_if(puppet_t) +-corenet_tcp_sendrecv_generic_node(puppet_t) - -corenet_sendrecv_puppet_client_packets(puppet_t) -+corenet_tcp_bind_generic_node(puppet_t) - corenet_tcp_connect_puppet_port(puppet_t) +-corenet_tcp_connect_puppet_port(puppet_t) -corenet_tcp_sendrecv_puppet_port(puppet_t) -+corenet_sendrecv_puppet_client_packets(puppet_t) - - dev_read_rand(puppet_t) - dev_read_sysfs(puppet_t) - dev_read_urand(puppet_t) - +- +-dev_read_rand(puppet_t) +-dev_read_sysfs(puppet_t) +-dev_read_urand(puppet_t) +- -domain_interactive_fd(puppet_t) - domain_read_all_domains_state(puppet_t) -+domain_interactive_fd(puppet_t) -+domain_named_filetrans(puppet_t) - - files_manage_config_files(puppet_t) - files_manage_config_dirs(puppet_t) - files_manage_etc_dirs(puppet_t) - files_manage_etc_files(puppet_t) +-domain_read_all_domains_state(puppet_t) +- +-files_manage_config_files(puppet_t) +-files_manage_config_dirs(puppet_t) +-files_manage_etc_dirs(puppet_t) +-files_manage_etc_files(puppet_t) -files_read_usr_files(puppet_t) - files_read_usr_symlinks(puppet_t) - files_relabel_config_dirs(puppet_t) - files_relabel_config_files(puppet_t) +-files_read_usr_symlinks(puppet_t) +-files_relabel_config_dirs(puppet_t) +-files_relabel_config_files(puppet_t) -files_search_var_lib(puppet_t) - +- -selinux_get_fs_mount(puppet_t) -selinux_search_fs(puppet_t) - selinux_set_all_booleans(puppet_t) - selinux_set_generic_booleans(puppet_t) - selinux_validate_context(puppet_t) -@@ -135,6 +121,8 @@ selinux_validate_context(puppet_t) - term_dontaudit_getattr_unallocated_ttys(puppet_t) - term_dontaudit_getattr_all_ttys(puppet_t) - -+auth_use_nsswitch(puppet_t) -+ - init_all_labeled_script_domtrans(puppet_t) - init_domtrans_script(puppet_t) - init_read_utmp(puppet_t) -@@ -143,18 +131,31 @@ init_signull_script(puppet_t) - logging_send_syslog_msg(puppet_t) - - miscfiles_read_hwdata(puppet_t) +-selinux_set_all_booleans(puppet_t) +-selinux_set_generic_booleans(puppet_t) +-selinux_validate_context(puppet_t) +- +-term_dontaudit_getattr_unallocated_ttys(puppet_t) +-term_dontaudit_getattr_all_ttys(puppet_t) +- +-init_all_labeled_script_domtrans(puppet_t) +-init_domtrans_script(puppet_t) +-init_read_utmp(puppet_t) +-init_signull_script(puppet_t) +- +-logging_send_syslog_msg(puppet_t) +- +-miscfiles_read_hwdata(puppet_t) -miscfiles_read_localization(puppet_t) - -mount_domtrans(puppet_t) - - seutil_domtrans_setfiles(puppet_t) - seutil_domtrans_semanage(puppet_t) -+seutil_read_file_contexts(puppet_t) - - sysnet_run_ifconfig(puppet_t, system_r) +- +-seutil_domtrans_setfiles(puppet_t) +-seutil_domtrans_semanage(puppet_t) +- +-sysnet_run_ifconfig(puppet_t, system_r) -sysnet_use_ldap(puppet_t) -+ -+usermanage_access_check_groupadd(puppet_t) -+usermanage_access_check_passwd(puppet_t) -+usermanage_access_check_useradd(puppet_t) - - tunable_policy(`puppet_manage_all_files',` +- +-tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) -+ files_manage_non_security_files(puppet_t) -+') ++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; ++allow puppetagent_t self:process { signal signull getsched setsched }; ++allow puppetagent_t self:fifo_file rw_fifo_file_perms; ++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms; ++allow puppetagent_t self:tcp_socket create_stream_socket_perms; ++allow puppetagent_t self:udp_socket create_socket_perms; + -+optional_policy(` -+ tunable_policy(`puppet_use_db',` -+ mysql_stream_connect(puppet_t) -+ ') -+') ++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t) ++ ++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) ++files_search_var_lib(puppetagent_t) ++ ++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) ++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir }) ++ ++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t) ++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) ++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) ++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir }) ++ ++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) ++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) ++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir }) ++ ++kernel_dontaudit_search_sysctl(puppetagent_t) ++kernel_dontaudit_search_kernel_sysctl(puppetagent_t) ++kernel_read_system_state(puppetagent_t) ++kernel_read_crypto_sysctls(puppetagent_t) ++kernel_read_kernel_sysctls(puppetagent_t) ++ ++corecmd_read_all_executables(puppetagent_t) ++corecmd_dontaudit_access_all_executables(puppetagent_t) ++corecmd_exec_bin(puppetagent_t) ++corecmd_exec_shell(puppetagent_t) ++ ++corenet_all_recvfrom_netlabel(puppetagent_t) ++corenet_tcp_sendrecv_generic_if(puppetagent_t) ++corenet_tcp_sendrecv_generic_node(puppetagent_t) ++corenet_tcp_bind_generic_node(puppetagent_t) ++corenet_tcp_connect_puppet_port(puppetagent_t) ++corenet_sendrecv_puppet_client_packets(puppetagent_t) ++ ++dev_read_rand(puppetagent_t) ++dev_read_sysfs(puppetagent_t) ++dev_read_urand(puppetagent_t) ++ ++domain_read_all_domains_state(puppetagent_t) ++domain_interactive_fd(puppetagent_t) ++domain_named_filetrans(puppetagent_t) ++ ++files_manage_config_files(puppetagent_t) ++files_manage_config_dirs(puppetagent_t) ++files_manage_etc_dirs(puppetagent_t) ++files_manage_etc_files(puppetagent_t) ++files_read_usr_symlinks(puppetagent_t) ++files_relabel_config_dirs(puppetagent_t) ++files_relabel_config_files(puppetagent_t) ++ ++selinux_set_all_booleans(puppetagent_t) ++selinux_set_generic_booleans(puppetagent_t) ++selinux_validate_context(puppetagent_t) ++ ++term_dontaudit_getattr_unallocated_ttys(puppetagent_t) ++term_dontaudit_getattr_all_ttys(puppetagent_t) ++ ++auth_use_nsswitch(puppetagent_t) ++ ++init_all_labeled_script_domtrans(puppetagent_t) ++init_domtrans_script(puppetagent_t) ++init_read_utmp(puppetagent_t) ++init_signull_script(puppetagent_t) ++ ++logging_send_syslog_msg(puppetagent_t) ++ ++miscfiles_read_hwdata(puppetagent_t) ++ ++seutil_domtrans_setfiles(puppetagent_t) ++seutil_domtrans_semanage(puppetagent_t) ++seutil_read_file_contexts(puppetagent_t) ++ ++sysnet_run_ifconfig(puppetagent_t, system_r) ++ ++usermanage_access_check_groupadd(puppetagent_t) ++usermanage_access_check_passwd(puppetagent_t) ++usermanage_access_check_useradd(puppetagent_t) + ++tunable_policy(`puppetagent_manage_all_files',` ++ files_manage_non_security_files(puppetagent_t) + ') + + optional_policy(` +- cfengine_read_lib_files(puppet_t) ++ mysql_stream_connect(puppetagent_t) + ') + + optional_policy(` +- consoletype_exec(puppet_t) ++ postgresql_stream_connect(puppetagent_t) + ') + + optional_policy(` +- hostname_exec(puppet_t) ++ cfengine_read_lib_files(puppetagent_t) + ') + + optional_policy(` +- mount_domtrans(puppet_t) ++ consoletype_exec(puppetagent_t) + ') + + optional_policy(` +- mta_send_mail(puppet_t) ++ hostname_exec(puppetagent_t) + ') + + optional_policy(` +- portage_domtrans(puppet_t) +- portage_domtrans_fetch(puppet_t) +- portage_domtrans_gcc_config(puppet_t) ++ mount_domtrans(puppetagent_t) + ') + + optional_policy(` +- files_rw_var_files(puppet_t) ++ mta_send_mail(puppetagent_t) ++') + +- rpm_domtrans(puppet_t) +- rpm_manage_db(puppet_t) +- rpm_manage_log(puppet_t) +optional_policy(` -+ tunable_policy(`puppet_use_db',` -+ postgresql_stream_connect(puppet_t) -+ ') ++ portage_domtrans(puppetagent_t) ++ portage_domtrans_fetch(puppetagent_t) ++ portage_domtrans_gcc_config(puppetagent_t) ') optional_policy(` -@@ -196,21 +197,19 @@ optional_policy(` +- unconfined_domain(puppet_t) ++ files_rw_var_files(puppetagent_t) ++ ++ rpm_domtrans(puppetagent_t) ++ rpm_manage_db(puppetagent_t) ++ rpm_manage_log(puppetagent_t) ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ openshift_initrc_domtrans(puppet_t) ++ unconfined_domain_noaudit(puppetagent_t) ') -+ ######################################## # -# Ca local policy @@ -70008,7 +70105,7 @@ index 618dcfe..ca66457 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +220,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -70016,7 +70113,7 @@ index 618dcfe..ca66457 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +229,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -70032,107 +70129,148 @@ index 618dcfe..ca66457 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,99 +243,7 @@ optional_policy(` +@@ -246,38 +245,47 @@ optional_policy(` hostname_exec(puppetca_t) ') --######################################## --# ++optional_policy(` ++ mta_sendmail_access_check(puppetca_t) ++') ++ ++ + ######################################## + # -# Master local policy --# -- --allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; --allow puppetmaster_t self:process { signal_perms getsched setsched }; --allow puppetmaster_t self:fifo_file rw_fifo_file_perms; ++# Pupper master personal policy + # + + allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; + allow puppetmaster_t self:process { signal_perms getsched setsched }; + allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket nlmsg_write; --allow puppetmaster_t self:socket create; ++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; + allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket { accept listen }; -- ++allow puppetmaster_t self:tcp_socket create_stream_socket_perms; ++allow puppetmaster_t self:udp_socket create_socket_perms; + -allow puppetmaster_t puppet_etc_t:dir list_dir_perms; -allow puppetmaster_t puppet_etc_t:file read_file_perms; -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; -- ++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) ++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) --logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -- ++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; ++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; + logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) ++allow puppetmaster_t puppet_log_t:file relabel_file_perms; + -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -- ++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; ++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; + -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; --files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -- ++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) + files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) ++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; + -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; --files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -- --kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) --kernel_read_network_state(puppetmaster_t) --kernel_read_system_state(puppetmaster_t) --kernel_read_crypto_sysctls(puppetmaster_t) --kernel_read_kernel_sysctls(puppetmaster_t) -- --corecmd_exec_bin(puppetmaster_t) --corecmd_exec_shell(puppetmaster_t) -- --corenet_all_recvfrom_netlabel(puppetmaster_t) ++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) ++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) + files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) ++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; + + kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) + kernel_read_network_state(puppetmaster_t) +@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t) + corecmd_exec_shell(puppetmaster_t) + + corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) --corenet_tcp_sendrecv_generic_if(puppetmaster_t) --corenet_tcp_sendrecv_generic_node(puppetmaster_t) --corenet_tcp_bind_generic_node(puppetmaster_t) + corenet_tcp_sendrecv_generic_if(puppetmaster_t) + corenet_tcp_sendrecv_generic_node(puppetmaster_t) + corenet_tcp_bind_generic_node(puppetmaster_t) - -corenet_sendrecv_puppet_server_packets(puppetmaster_t) --corenet_tcp_bind_puppet_port(puppetmaster_t) + corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_tcp_sendrecv_puppet_port(puppetmaster_t) -- --dev_read_rand(puppetmaster_t) --dev_read_urand(puppetmaster_t) --dev_search_sysfs(puppetmaster_t) -- ++corenet_sendrecv_puppet_server_packets(puppetmaster_t) ++corenet_tcp_connect_ntop_port(puppetmaster_t) ++ ++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. ++corenet_udp_bind_generic_node(puppetmaster_t) ++corenet_udp_bind_generic_port(puppetmaster_t) + + dev_read_rand(puppetmaster_t) + dev_read_urand(puppetmaster_t) + dev_search_sysfs(puppetmaster_t) + -domain_obj_id_change_exemption(puppetmaster_t) --domain_read_all_domains_state(puppetmaster_t) -- + domain_read_all_domains_state(puppetmaster_t) ++domain_obj_id_change_exemption(puppetmaster_t) + -files_read_usr_files(puppetmaster_t) -- --selinux_validate_context(puppetmaster_t) -- --auth_use_nsswitch(puppetmaster_t) -- --logging_send_syslog_msg(puppetmaster_t) -- --miscfiles_read_generic_certs(puppetmaster_t) + + selinux_validate_context(puppetmaster_t) + +@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t) + logging_send_syslog_msg(puppetmaster_t) + + miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) -- --seutil_read_file_contexts(puppetmaster_t) -- --sysnet_run_ifconfig(puppetmaster_t, system_r) -- --optional_policy(` + + seutil_read_file_contexts(puppetmaster_t) + + sysnet_run_ifconfig(puppetmaster_t, system_r) + ++mta_send_mail(puppetmaster_t) ++ + optional_policy(` - hostname_exec(puppetmaster_t) --') -- ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') + ') + optional_policy(` - mta_send_mail(puppetmaster_t) -+ mta_sendmail_access_check(puppetca_t) ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') ') --optional_policy(` + optional_policy(` - mysql_stream_connect(puppetmaster_t) --') -- --optional_policy(` ++ systemd_dbus_chat_timedated(puppetmaster_t) + ') + + optional_policy(` - postgresql_stream_connect(puppetmaster_t) --') -- --optional_policy(` -- files_read_usr_symlinks(puppetmaster_t) -- -- rpm_exec(puppetmaster_t) -- rpm_read_db(puppetmaster_t) --') ++ hostname_exec(puppetmaster_t) + ') + + optional_policy(` +@@ -342,3 +356,9 @@ optional_policy(` + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) + ') ++ ++optional_policy(` ++ usermanage_access_check_groupadd(puppetmaster_t) ++ usermanage_access_check_passwd(puppetmaster_t) ++ usermanage_access_check_useradd(puppetmaster_t) ++') diff --git a/pwauth.fc b/pwauth.fc index 7e7b444..e2f8687 100644 --- a/pwauth.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index c046312..0872a60 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 44%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-45 +Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t. + * Tue Apr 8 2014 Miroslav Grepl 3.13.1-44 - Change hsperfdata_root to have as user_tmp_t - Allow rsyslog low-level network access