diff --git a/Changelog b/Changelog index 1631197..886e462 100644 --- a/Changelog +++ b/Changelog @@ -19,6 +19,7 @@ kdump (Dan Walsh) modemmanager(Dan Walsh) nslcd (Dan Walsh) + puppet (Craig Grube) rtkit (Dan Walsh) seunshare (Dan Walsh) shorewall (Dan Walsh) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index d6423c8..3a1e04f 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -243,12 +243,12 @@ optional_policy(` ') optional_policy(` - rpm_use_fds(groupadd_t) - rpm_rw_pipes(groupadd_t) + puppet_rw_tmp(groupadd_t) ') optional_policy(` - puppet_rw_tmp(groupadd_t) + rpm_use_fds(groupadd_t) + rpm_rw_pipes(groupadd_t) ') ######################################## @@ -525,10 +525,10 @@ optional_policy(` ') optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) + puppet_rw_tmp(useradd_t) ') optional_policy(` - puppet_rw_tmp(useradd_t) + rpm_use_fds(useradd_t) + rpm_rw_pipes(useradd_t) ') diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 8881333..57f66de 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1001,83 +1001,6 @@ interface(`files_manage_all_files',` files_manage_kernel_modules($1) ') -########################################### -## -## Manage all configuration files on filesystem -## -## -## -## The type of domain performing this action -## -## -## -# -interface(`files_manage_config_files',` - gen_require(` - attribute configfile; - ') - - manage_files_pattern($1, configfile, configfile) -') - -############################################# -## -## Manage all configuration directories on filesystem -## -## -## -## The type of domain performing this action -## -## -## -# -interface(`files_manage_config_dirs',` - gen_require(` - attribute configfile; - ') - - manage_dirs_pattern($1, configfile, configfile) -') - - -####################################### -## -## Relabel configuration files -## -## -## -## Type of domain performing this action -## -## -## -# -interface(`files_relabel_config_files',` - gen_require(` - attribute configfile; - ') - - relabel_files_pattern($1, configfile, configfile) -') - -######################################### -## -## Relabel configuration directories -## -## -## -## Type of domain performing this action -## -## -## -# -interface(`files_relabel_config_dirs',` - gen_require(` - attribute configfile; - ') - - relabel_dirs_pattern($1, configfile, configfile) -') - ######################################## ## ## Search the contents of all directories on @@ -1231,6 +1154,82 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') +############################################# +## +## Manage all configuration directories on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_dirs',` + gen_require(` + attribute configfile; + ') + + manage_dirs_pattern($1, configfile, configfile) +') + +######################################### +## +## Relabel configuration directories +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_dirs',` + gen_require(` + attribute configfile; + ') + + relabel_dirs_pattern($1, configfile, configfile) +') + +########################################### +## +## Manage all configuration files on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_files',` + gen_require(` + attribute configfile; + ') + + manage_files_pattern($1, configfile, configfile) +') + +####################################### +## +## Relabel configuration files +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_files',` + gen_require(` + attribute configfile; + ') + + relabel_files_pattern($1, configfile, configfile) +') + ######################################## ## ## Mount a filesystem on all mount points. @@ -1994,6 +1993,25 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') +########################################## +## +## Manage generic directories in /etc +## +## +## +## Domain allowed access +## +## +## +# +interface(`files_manage_etc_dirs',` + gen_require(` + type etc_t; + ') + + manage_dirs_pattern($1, etc_t, etc_t) +') + ######################################## ## ## Read generic files in /etc. @@ -2074,25 +2092,6 @@ interface(`files_manage_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') -########################################## -## -## Manage generic directories in /etc -## -## -## -## Domain allowed access -## -## -## -# -interface(`files_manage_etc_dirs',` - gen_require(` - type etc_t; - ') - - manage_dirs_pattern($1, etc_t, etc_t) -') - ######################################## ## ## Delete system configuration files in /etc. diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc index 8cc04c3..2f1e529 100644 --- a/policy/modules/services/puppet.fc +++ b/policy/modules/services/puppet.fc @@ -1,13 +1,11 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0) - -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0) - -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0) -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0) -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0) +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if index ad75def..34946a2 100644 --- a/policy/modules/services/puppet.if +++ b/policy/modules/services/puppet.if @@ -1,27 +1,26 @@ ## Puppet client daemon ## -##

+##

## Puppet is a configuration management system written in Ruby. -## The client daemon is responsible for periodically requesting the -## desired system state from the server and ensuring the state of -## the client system matches. -##

-## - +## The client daemon is responsible for periodically requesting the +## desired system state from the server and ensuring the state of +## the client system matches. +##

+## + ################################################ ## -## Read / Write to Puppet temp files. Puppet uses -## some system binaries (groupadd, etc) that run in -## a non-puppet domain and redirects output into temp -## files. +## Read / Write to Puppet temp files. Puppet uses +## some system binaries (groupadd, etc) that run in +## a non-puppet domain and redirects output into temp +## files. ## ## -## -## Domain allowed access -## -## -## -# +## +## Domain allowed access +## +## +# interface(`puppet_rw_tmp', ` gen_require(` type puppet_tmp_t; diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te index 2336da4..3cb1741 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -1,5 +1,5 @@ -policy_module(puppet, 0.0.1) +policy_module(puppet, 1.0.0) ######################################## # @@ -14,45 +14,34 @@ policy_module(puppet, 0.0.1) ## gen_tunable(puppet_manage_all_files, false) - -######################################## -# -# Puppet personal declarations -# - type puppet_t; type puppet_exec_t; init_daemon_domain(puppet_t, puppet_exec_t) +type puppet_etc_t; +files_config_file(puppet_etc_t) + type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t); +init_script_file(puppet_initrc_exec_t) type puppet_log_t; logging_log_file(puppet_log_t) +type puppet_tmp_t; +files_tmp_file(puppet_tmp_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) type puppet_var_run_t; files_pid_file(puppet_var_run_t) -type puppet_etc_t; -files_config_file(puppet_etc_t) - -type puppet_tmp_t; -files_tmp_file(puppet_tmp_t) - -######################################## -# -# Pupper master personal declarations -# - type puppetmaster_t; type puppetmaster_exec_t; init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) -type puppetmasterd_initrc_exec_t; -init_script_file(puppetmasterd_initrc_exec_t) +type puppetmaster_initrc_exec_t; +init_script_file(puppetmaster_initrc_exec_t) type puppetmaster_tmp_t; files_tmp_file(puppetmaster_tmp_t) @@ -63,17 +52,17 @@ files_tmp_file(puppetmaster_tmp_t) # allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:tcp_socket create_stream_socket_perms; allow puppet_t self:udp_socket create_socket_perms; -search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) -manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t) +manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +files_search_var_lib(puppet_t) setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) @@ -88,19 +77,21 @@ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) -corenet_sendrecv_puppet_client_packets(puppet_t) -corenet_tcp_connect_puppet_port(puppet_t) +kernel_dontaudit_search_sysctl(puppet_t) +kernel_dontaudit_search_kernel_sysctl(puppet_t) +kernel_read_system_state(puppet_t) +kernel_read_crypto_sysctls(puppet_t) + +corecmd_exec_bin(puppet_t) +corecmd_exec_shell(puppet_t) corenet_all_recvfrom_netlabel(puppet_t) corenet_all_recvfrom_unlabeled(puppet_t) - corenet_tcp_sendrecv_generic_if(puppet_t) corenet_tcp_sendrecv_generic_node(puppet_t) - corenet_tcp_bind_generic_node(puppet_t) - -corecmd_exec_bin(puppet_t) -corecmd_exec_shell(puppet_t) +corenet_tcp_connect_puppet_port(puppet_t) +corenet_sendrecv_puppet_client_packets(puppet_t) dev_read_rand(puppet_t) dev_read_sysfs(puppet_t) @@ -116,38 +107,31 @@ files_manage_etc_files(puppet_t) files_read_usr_symlinks(puppet_t) files_relabel_config_dirs(puppet_t) files_relabel_config_files(puppet_t) -files_search_default(puppet_t) -files_search_var_lib(puppet_t) + +selinux_search_fs(puppet_t) +selinux_set_all_booleans(puppet_t) +selinux_set_generic_booleans(puppet_t) +selinux_validate_context(puppet_t) + +term_dontaudit_getattr_unallocated_ttys(puppet_t) +term_dontaudit_getattr_all_user_ttys(puppet_t) init_all_labeled_script_domtrans(puppet_t) init_domtrans_script(puppet_t) init_read_utmp(puppet_t) init_signull_script(puppet_t) -kernel_dontaudit_search_sysctl(puppet_t) -kernel_dontaudit_search_kernel_sysctl(puppet_t) -kernel_read_system_state(puppet_t) -kernel_read_crypto_sysctls(puppet_t) - logging_send_syslog_msg(puppet_t) miscfiles_read_hwdata(puppet_t) miscfiles_read_localization(puppet_t) -selinux_search_fs(puppet_t) -selinux_set_all_booleans(puppet_t) -selinux_set_generic_booleans(puppet_t) -selinux_validate_context(puppet_t) - seutil_domtrans_setfiles(puppet_t) seutil_domtrans_semanage(puppet_t) sysnet_dns_name_resolve(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) -term_dontaudit_getattr_unallocated_ttys(puppet_t) -term_dontaudit_getattr_all_user_ttys(puppet_t) - tunable_policy(`puppet_manage_all_files',` auth_manage_all_files_except_shadow(puppet_t) ') @@ -162,7 +146,6 @@ optional_policy(` optional_policy(` files_rw_var_files(puppet_t) - files_var_lib_filetrans(puppet_t, var_lib_t, dir) rpm_domtrans(puppet_t) rpm_manage_db(puppet_t) @@ -178,16 +161,15 @@ optional_policy(` usermanage_domtrans_useradd(puppet_t) ') - ######################################## # # Pupper master personal policy # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -allow puppetmaster_t self:fifo_file rw_fifo_file_perms;; -allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; allow puppetmaster_t self:udp_socket create_socket_perms; @@ -195,50 +177,43 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) -manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; +allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) - manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -corenet_sendrecv_puppet_server_packets(puppetmaster_t) -corenet_tcp_bind_puppet_port(puppetmaster_t) +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +kernel_read_system_state(puppetmaster_t) +kernel_read_crypto_sysctls(puppetmaster_t) + +corecmd_exec_bin(puppetmaster_t) +corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) corenet_all_recvfrom_unlabeled(puppetmaster_t) - corenet_tcp_sendrecv_generic_if(puppetmaster_t) corenet_tcp_sendrecv_generic_node(puppetmaster_t) - corenet_tcp_bind_generic_node(puppetmaster_t) - -corecmd_exec_bin(puppetmaster_t) -corecmd_exec_shell(puppetmaster_t) - -files_read_etc_files(puppetmaster_t) -files_search_var_lib(puppetmaster_t) +corenet_tcp_bind_puppet_port(puppetmaster_t) +corenet_sendrecv_puppet_server_packets(puppetmaster_t) dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) -kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) -kernel_read_system_state(puppetmaster_t) -kernel_read_crypto_sysctls(puppetmaster_t) +files_read_etc_files(puppetmaster_t) +files_search_var_lib(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) @@ -257,4 +232,3 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') - diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index a5a3adb..f073b54 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -730,7 +730,7 @@ interface(`init_labeled_script_domtrans',` ## Domain allowed access ## ## -######################################### +# interface(`init_all_labeled_script_domtrans',` gen_require(` attribute init_script_file_type; diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 8005fb6..39f5a99 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -118,12 +118,12 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') - -optional_policy(` - puppet_rw_tmp(ldconfig_t) -')