diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 1865872..d6423c8 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -247,6 +247,10 @@ optional_policy(` rpm_rw_pipes(groupadd_t) ') +optional_policy(` + puppet_rw_tmp(groupadd_t) +') + ######################################## # # Passwd local policy @@ -524,3 +528,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') + +optional_policy(` + puppet_rw_tmp(useradd_t) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index c62a95e..85a5fcf 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) +network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 87442ec..8881333 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -110,7 +110,11 @@ interface(`files_pid_file',` ## # interface(`files_config_file',` + gen_require(` + attribute configfile; + ') files_type($1) + typeattribute $1 configfile; ') ######################################## @@ -997,6 +1001,83 @@ interface(`files_manage_all_files',` files_manage_kernel_modules($1) ') +########################################### +## +## Manage all configuration files on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_files',` + gen_require(` + attribute configfile; + ') + + manage_files_pattern($1, configfile, configfile) +') + +############################################# +## +## Manage all configuration directories on filesystem +## +## +## +## The type of domain performing this action +## +## +## +# +interface(`files_manage_config_dirs',` + gen_require(` + attribute configfile; + ') + + manage_dirs_pattern($1, configfile, configfile) +') + + +####################################### +## +## Relabel configuration files +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_files',` + gen_require(` + attribute configfile; + ') + + relabel_files_pattern($1, configfile, configfile) +') + +######################################### +## +## Relabel configuration directories +## +## +## +## Type of domain performing this action +## +## +## +# +interface(`files_relabel_config_dirs',` + gen_require(` + attribute configfile; + ') + + relabel_dirs_pattern($1, configfile, configfile) +') + ######################################## ## ## Search the contents of all directories on @@ -1993,6 +2074,25 @@ interface(`files_manage_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') +########################################## +## +## Manage generic directories in /etc +## +## +## +## Domain allowed access +## +## +## +# +interface(`files_manage_etc_dirs',` + gen_require(` + type etc_t; + ') + + manage_dirs_pattern($1, etc_t, etc_t) +') + ######################################## ## ## Delete system configuration files in /etc. @@ -4222,6 +4322,24 @@ interface(`files_list_var_lib',` list_dirs_pattern($1, var_t, var_lib_t) ') +########################################### +## +## Read-write /var/lib directories +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_var_lib_dirs',` + gen_require(` + type var_lib_t; + ') + + rw_dirs_pattern($1, var_lib_t, var_lib_t) +') + ######################################## ## ## Create objects in the /var/lib directory diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 3ae897d..e970d85 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -11,6 +11,7 @@ attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; +attribute configfile; # For labeling types that are to be polyinstantiated attribute polydir; diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc new file mode 100644 index 0000000..8cc04c3 --- /dev/null +++ b/policy/modules/services/puppet.fc @@ -0,0 +1,13 @@ +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0) + +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0) + +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0) + +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0) +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0) + + diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if new file mode 100644 index 0000000..ad75def --- /dev/null +++ b/policy/modules/services/puppet.if @@ -0,0 +1,32 @@ +## Puppet client daemon +## +##

+## Puppet is a configuration management system written in Ruby. +## The client daemon is responsible for periodically requesting the +## desired system state from the server and ensuring the state of +## the client system matches. +##

+##
+ +################################################ +## +## Read / Write to Puppet temp files. Puppet uses +## some system binaries (groupadd, etc) that run in +## a non-puppet domain and redirects output into temp +## files. +## +## +## +## Domain allowed access +## +## +## +# +interface(`puppet_rw_tmp', ` + gen_require(` + type puppet_tmp_t; + ') + + allow $1 puppet_tmp_t:file rw_file_perms; + files_search_tmp($1) +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te new file mode 100644 index 0000000..2336da4 --- /dev/null +++ b/policy/modules/services/puppet.te @@ -0,0 +1,260 @@ + +policy_module(puppet, 0.0.1) + +######################################## +# +# Declarations +# + +## +##

+## Allow Puppet client to manage all file +## types. +##

+##
+gen_tunable(puppet_manage_all_files, false) + + +######################################## +# +# Puppet personal declarations +# + +type puppet_t; +type puppet_exec_t; +init_daemon_domain(puppet_t, puppet_exec_t) + +type puppet_initrc_exec_t; +init_script_file(puppet_initrc_exec_t); + +type puppet_log_t; +logging_log_file(puppet_log_t) + +type puppet_var_lib_t; +files_type(puppet_var_lib_t) + +type puppet_var_run_t; +files_pid_file(puppet_var_run_t) + +type puppet_etc_t; +files_config_file(puppet_etc_t) + +type puppet_tmp_t; +files_tmp_file(puppet_tmp_t) + +######################################## +# +# Pupper master personal declarations +# + +type puppetmaster_t; +type puppetmaster_exec_t; +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) + +type puppetmasterd_initrc_exec_t; +init_script_file(puppetmasterd_initrc_exec_t) + +type puppetmaster_tmp_t; +files_tmp_file(puppetmaster_tmp_t) + +######################################## +# +# Puppet personal policy +# + +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +allow puppet_t self:fifo_file rw_fifo_file_perms; +allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +allow puppet_t self:process { signal signull getsched setsched }; +allow puppet_t self:tcp_socket create_stream_socket_perms; +allow puppet_t self:udp_socket create_socket_perms; + +search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t) +read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) + +manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) + +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) + +create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) +create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + +corenet_sendrecv_puppet_client_packets(puppet_t) +corenet_tcp_connect_puppet_port(puppet_t) + +corenet_all_recvfrom_netlabel(puppet_t) +corenet_all_recvfrom_unlabeled(puppet_t) + +corenet_tcp_sendrecv_generic_if(puppet_t) +corenet_tcp_sendrecv_generic_node(puppet_t) + +corenet_tcp_bind_generic_node(puppet_t) + +corecmd_exec_bin(puppet_t) +corecmd_exec_shell(puppet_t) + +dev_read_rand(puppet_t) +dev_read_sysfs(puppet_t) +dev_read_urand(puppet_t) + +domain_read_all_domains_state(puppet_t) +domain_interactive_fd(puppet_t) + +files_manage_config_files(puppet_t) +files_manage_config_dirs(puppet_t) +files_manage_etc_dirs(puppet_t) +files_manage_etc_files(puppet_t) +files_read_usr_symlinks(puppet_t) +files_relabel_config_dirs(puppet_t) +files_relabel_config_files(puppet_t) +files_search_default(puppet_t) +files_search_var_lib(puppet_t) + +init_all_labeled_script_domtrans(puppet_t) +init_domtrans_script(puppet_t) +init_read_utmp(puppet_t) +init_signull_script(puppet_t) + +kernel_dontaudit_search_sysctl(puppet_t) +kernel_dontaudit_search_kernel_sysctl(puppet_t) +kernel_read_system_state(puppet_t) +kernel_read_crypto_sysctls(puppet_t) + +logging_send_syslog_msg(puppet_t) + +miscfiles_read_hwdata(puppet_t) +miscfiles_read_localization(puppet_t) + +selinux_search_fs(puppet_t) +selinux_set_all_booleans(puppet_t) +selinux_set_generic_booleans(puppet_t) +selinux_validate_context(puppet_t) + +seutil_domtrans_setfiles(puppet_t) +seutil_domtrans_semanage(puppet_t) + +sysnet_dns_name_resolve(puppet_t) +sysnet_run_ifconfig(puppet_t, system_r) + +term_dontaudit_getattr_unallocated_ttys(puppet_t) +term_dontaudit_getattr_all_user_ttys(puppet_t) + +tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) +') + +optional_policy(` + consoletype_domtrans(puppet_t) +') + +optional_policy(` + hostname_exec(puppet_t) +') + +optional_policy(` + files_rw_var_files(puppet_t) + files_var_lib_filetrans(puppet_t, var_lib_t, dir) + + rpm_domtrans(puppet_t) + rpm_manage_db(puppet_t) + rpm_manage_log(puppet_t) +') + +optional_policy(` + unconfined_domain(puppet_t) +') + +optional_policy(` + usermanage_domtrans_groupadd(puppet_t) + usermanage_domtrans_useradd(puppet_t) +') + + +######################################## +# +# Pupper master personal policy +# + +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;; +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; +allow puppetmaster_t self:process { signal_perms getsched setsched }; +allow puppetmaster_t self:socket create; +allow puppetmaster_t self:tcp_socket create_stream_socket_perms; +allow puppetmaster_t self:udp_socket create_socket_perms; + +list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + +manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) + +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) + +rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) + +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) + +corenet_sendrecv_puppet_server_packets(puppetmaster_t) +corenet_tcp_bind_puppet_port(puppetmaster_t) + +corenet_all_recvfrom_netlabel(puppetmaster_t) +corenet_all_recvfrom_unlabeled(puppetmaster_t) + +corenet_tcp_sendrecv_generic_if(puppetmaster_t) +corenet_tcp_sendrecv_generic_node(puppetmaster_t) + +corenet_tcp_bind_generic_node(puppetmaster_t) + +corecmd_exec_bin(puppetmaster_t) +corecmd_exec_shell(puppetmaster_t) + +files_read_etc_files(puppetmaster_t) +files_search_var_lib(puppetmaster_t) + +dev_read_rand(puppetmaster_t) +dev_read_urand(puppetmaster_t) + +domain_read_all_domains_state(puppetmaster_t) + +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) +kernel_read_system_state(puppetmaster_t) +kernel_read_crypto_sysctls(puppetmaster_t) + +logging_send_syslog_msg(puppetmaster_t) + +miscfiles_read_localization(puppetmaster_t) + +sysnet_dns_name_resolve(puppetmaster_t) +sysnet_run_ifconfig(puppetmaster_t, system_r) + +optional_policy(` + hostname_exec(puppetmaster_t) +') + +optional_policy(` + files_read_usr_symlinks(puppetmaster_t) + + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) +') + diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 7637333..a5a3adb 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',` files_search_etc($1) ') +######################################### +## +## Transition to the init script domain +## for all labeled init script types +## +## +## +## Domain allowed access +## +## +######################################### +interface(`init_all_labeled_script_domtrans',` + gen_require(` + attribute init_script_file_type; + ') + + init_labeled_script_domtrans($1, init_script_file_type) +') + ######################################## ## ## Start and stop daemon programs directly. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index efe5277..1ff0596 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -688,6 +688,10 @@ optional_policy(` ') optional_policy(` + puppet_rw_tmp(initrc_t) +') + +optional_policy(` quota_manage_flags(initrc_t) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 0c4f4ba..8005fb6 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -123,3 +123,7 @@ optional_policy(` # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') + +optional_policy(` + puppet_rw_tmp(ldconfig_t) +')