diff --git a/Changelog b/Changelog
index 1631197..886e462 100644
--- a/Changelog
+++ b/Changelog
@@ -19,6 +19,7 @@
kdump (Dan Walsh)
modemmanager(Dan Walsh)
nslcd (Dan Walsh)
+ puppet (Craig Grube)
rtkit (Dan Walsh)
seunshare (Dan Walsh)
shorewall (Dan Walsh)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d6423c8..3a1e04f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -243,12 +243,12 @@ optional_policy(`
')
optional_policy(`
- rpm_use_fds(groupadd_t)
- rpm_rw_pipes(groupadd_t)
+ puppet_rw_tmp(groupadd_t)
')
optional_policy(`
- puppet_rw_tmp(groupadd_t)
+ rpm_use_fds(groupadd_t)
+ rpm_rw_pipes(groupadd_t)
')
########################################
@@ -525,10 +525,10 @@ optional_policy(`
')
optional_policy(`
- rpm_use_fds(useradd_t)
- rpm_rw_pipes(useradd_t)
+ puppet_rw_tmp(useradd_t)
')
optional_policy(`
- puppet_rw_tmp(useradd_t)
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8881333..57f66de 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1001,83 +1001,6 @@ interface(`files_manage_all_files',`
files_manage_kernel_modules($1)
')
-###########################################
-## <summary>
-## Manage all configuration files on filesystem
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of domain performing this action
-## </summary>
-## </param>
-##
-#
-interface(`files_manage_config_files',`
- gen_require(`
- attribute configfile;
- ')
-
- manage_files_pattern($1, configfile, configfile)
-')
-
-#############################################
-## <summary>
-## Manage all configuration directories on filesystem
-## </summary>
-## <param name="domain">
-## <summary>
-## The type of domain performing this action
-## </summary>
-## </param>
-##
-#
-interface(`files_manage_config_dirs',`
- gen_require(`
- attribute configfile;
- ')
-
- manage_dirs_pattern($1, configfile, configfile)
-')
-
-
-#######################################
-## <summary>
-## Relabel configuration files
-## </summary>
-## <param name="domain">
-## <summary>
-## Type of domain performing this action
-## </summary>
-## </param>
-##
-#
-interface(`files_relabel_config_files',`
- gen_require(`
- attribute configfile;
- ')
-
- relabel_files_pattern($1, configfile, configfile)
-')
-
-#########################################
-## <summary>
-## Relabel configuration directories
-## </summary>
-## <param name="domain">
-## <summary>
-## Type of domain performing this action
-## </summary>
-## </param>
-##
-#
-interface(`files_relabel_config_dirs',`
- gen_require(`
- attribute configfile;
- ')
-
- relabel_dirs_pattern($1, configfile, configfile)
-')
-
########################################
## <summary>
## Search the contents of all directories on
@@ -1231,6 +1154,82 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+#############################################
+## <summary>
+## Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+## Relabel configuration directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_dirs_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+## Relabel configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_files_pattern($1, configfile, configfile)
+')
+
########################################
## <summary>
## Mount a filesystem on all mount points.
@@ -1994,6 +1993,25 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
+##########################################
+## <summary>
+## Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_dirs_pattern($1, etc_t, etc_t)
+')
+
########################################
## <summary>
## Read generic files in /etc.
@@ -2074,25 +2092,6 @@ interface(`files_manage_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t)
')
-##########################################
-## <summary>
-## Manage generic directories in /etc
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-##
-#
-interface(`files_manage_etc_dirs',`
- gen_require(`
- type etc_t;
- ')
-
- manage_dirs_pattern($1, etc_t, etc_t)
-')
-
########################################
## <summary>
## Delete system configuration files in /etc.
diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
index 8cc04c3..2f1e529 100644
--- a/policy/modules/services/puppet.fc
+++ b/policy/modules/services/puppet.fc
@@ -1,13 +1,11 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
-
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
-
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
index ad75def..34946a2 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -1,27 +1,26 @@
## <summary>Puppet client daemon</summary>
## <desc>
-## <p>
+## <p>
## Puppet is a configuration management system written in Ruby.
-## The client daemon is responsible for periodically requesting the
-## desired system state from the server and ensuring the state of
-## the client system matches.
-## </p>
-## </desc>
-
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+## </p>
+## </desc>
+
################################################
## <summary>
-## Read / Write to Puppet temp files. Puppet uses
-## some system binaries (groupadd, etc) that run in
-## a non-puppet domain and redirects output into temp
-## files.
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-##
-#
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
interface(`puppet_rw_tmp', `
gen_require(`
type puppet_tmp_t;
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 2336da4..3cb1741 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -1,5 +1,5 @@
-policy_module(puppet, 0.0.1)
+policy_module(puppet, 1.0.0)
########################################
#
@@ -14,45 +14,34 @@ policy_module(puppet, 0.0.1)
## </desc>
gen_tunable(puppet_manage_all_files, false)
-
-########################################
-#
-# Puppet personal declarations
-#
-
type puppet_t;
type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t)
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t);
+init_script_file(puppet_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
-type puppet_etc_t;
-files_config_file(puppet_etc_t)
-
-type puppet_tmp_t;
-files_tmp_file(puppet_tmp_t)
-
-########################################
-#
-# Pupper master personal declarations
-#
-
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-type puppetmasterd_initrc_exec_t;
-init_script_file(puppetmasterd_initrc_exec_t)
+type puppetmaster_initrc_exec_t;
+init_script_file(puppetmaster_initrc_exec_t)
type puppetmaster_tmp_t;
files_tmp_file(puppetmaster_tmp_t)
@@ -63,17 +52,17 @@ files_tmp_file(puppetmaster_tmp_t)
#
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:tcp_socket create_stream_socket_perms;
allow puppet_t self:udp_socket create_socket_perms;
-search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
-manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
@@ -88,19 +77,21 @@ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-corenet_sendrecv_puppet_client_packets(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
-
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
-
corenet_tcp_bind_generic_node(puppet_t)
-
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t)
@@ -116,38 +107,31 @@ files_manage_etc_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
-files_search_default(puppet_t)
-files_search_var_lib(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_user_ttys(puppet_t)
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_system_state(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)
-selinux_search_fs(puppet_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
-
seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_user_ttys(puppet_t)
-
tunable_policy(`puppet_manage_all_files',`
auth_manage_all_files_except_shadow(puppet_t)
')
@@ -162,7 +146,6 @@ optional_policy(`
optional_policy(`
files_rw_var_files(puppet_t)
- files_var_lib_filetrans(puppet_t, var_lib_t, dir)
rpm_domtrans(puppet_t)
rpm_manage_db(puppet_t)
@@ -178,16 +161,15 @@ optional_policy(`
usermanage_domtrans_useradd(puppet_t)
')
-
########################################
#
# Pupper master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
-allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
allow puppetmaster_t self:udp_socket create_socket_perms;
@@ -195,50 +177,43 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-corenet_tcp_bind_puppet_port(puppetmaster_t)
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
corenet_all_recvfrom_unlabeled(puppetmaster_t)
-
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
-
corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corecmd_exec_bin(puppetmaster_t)
-corecmd_exec_shell(puppetmaster_t)
-
-files_read_etc_files(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
-kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-kernel_read_system_state(puppetmaster_t)
-kernel_read_crypto_sysctls(puppetmaster_t)
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
@@ -257,4 +232,3 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
-
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index a5a3adb..f073b54 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -730,7 +730,7 @@ interface(`init_labeled_script_domtrans',`
## Domain allowed access
## </summary>
## </param>
-#########################################
+#
interface(`init_all_labeled_script_domtrans',`
gen_require(`
attribute init_script_file_type;
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 8005fb6..39f5a99 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -118,12 +118,12 @@ optional_policy(`
')
optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+')
+
+optional_policy(`
# When you install a kernel the postinstall builds a initrd image in tmp
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
-
-optional_policy(`
- puppet_rw_tmp(ldconfig_t)
-')