New Puppet patch improved after feedback from
Daniel Burgener <[email protected]>. Now gives write access to
cache files and removes rw access to var_t.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20220106/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20220106/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20220106/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
@@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
can_exec(puppet_t, puppet_var_lib_t)
+manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+
setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
@@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t)
kernel_read_net_sysctls(puppet_t)
kernel_read_network_state(puppet_t)
+corecmd_bin_entry_type(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
corecmd_read_all_executables(puppet_t)
@@ -182,8 +189,6 @@ optional_policy(`
')
optional_policy(`
- files_rw_var_files(puppet_t)
-
rpm_domtrans(puppet_t)
rpm_manage_db(puppet_t)
rpm_manage_log(puppet_t)
@@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
@@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
kernel_read_kernel_sysctls(puppetmaster_t)
+corecmd_bin_entry_type(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
On 2/14/22 20:57, Russell Coker wrote:
> New Puppet patch improved after feedback from
> Daniel Burgener <[email protected]>. Now gives write access to
> cache files and removes rw access to var_t.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
> /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>
> +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
> /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
>
> /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20220106/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20220106/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
> type puppet_tmp_t;
> files_tmp_file(puppet_tmp_t)
>
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +
> type puppet_var_lib_t;
> files_type(puppet_var_lib_t)
>
> @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var
> manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> can_exec(puppet_t, puppet_var_lib_t)
>
> +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
> +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
> +
> setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
> manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
> files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
> @@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t)
> kernel_read_net_sysctls(puppet_t)
> kernel_read_network_state(puppet_t)
>
> +corecmd_bin_entry_type(puppet_t)
Why are you adding bin_t as an entrypoint here and below?
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
> corecmd_read_all_executables(puppet_t)
> @@ -182,8 +189,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - files_rw_var_files(puppet_t)
> -
> rpm_domtrans(puppet_t)
> rpm_manage_db(puppet_t)
> rpm_manage_log(puppet_t)
> @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
> allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
> append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>
> @@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t)
> kernel_read_crypto_sysctls(puppetmaster_t)
> kernel_read_kernel_sysctls(puppetmaster_t)
>
> +corecmd_bin_entry_type(puppetmaster_t)
> corecmd_exec_bin(puppetmaster_t)
> corecmd_exec_shell(puppetmaster_t)
>
--
Chris PeBenito
On Wednesday, 16 February 2022 22:35:58 AEDT Chris PeBenito wrote:
> Why are you adding bin_t as an entrypoint here and below?
That's for running a script via the interpreter instead of via a #!/usr/bin/
whatever so you can't just label the script file.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 2/16/2022 08:08, Russell Coker wrote:
> On Wednesday, 16 February 2022 22:35:58 AEDT Chris PeBenito wrote:
>> Why are you adding bin_t as an entrypoint here and below?
>
> That's for running a script via the interpreter instead of via a #!/usr/bin/
> whatever so you can't just label the script file.
I'm not sure I follow. Are you saying this is for handling things like
"bash -c /some/script" and "python foo.py"?
--
Chris PeBenito
On Thursday, 17 February 2022 02:30:12 AEDT Chris PeBenito wrote:
> On 2/16/2022 08:08, Russell Coker wrote:
> > On Wednesday, 16 February 2022 22:35:58 AEDT Chris PeBenito wrote:
> >> Why are you adding bin_t as an entrypoint here and below?
> >
> > That's for running a script via the interpreter instead of via a
> > #!/usr/bin/ whatever so you can't just label the script file.
>
> I'm not sure I follow. Are you saying this is for handling things like
> "bash -c /some/script" and "python foo.py"?
Yes.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 2/16/22 20:41, Russell Coker wrote:
> On Thursday, 17 February 2022 02:30:12 AEDT Chris PeBenito wrote:
>> On 2/16/2022 08:08, Russell Coker wrote:
>>> On Wednesday, 16 February 2022 22:35:58 AEDT Chris PeBenito wrote:
>>>> Why are you adding bin_t as an entrypoint here and below?
>>>
>>> That's for running a script via the interpreter instead of via a
>>> #!/usr/bin/ whatever so you can't just label the script file.
>>
>> I'm not sure I follow. Are you saying this is for handling things like
>> "bash -c /some/script" and "python foo.py"?
>
> Yes.
I don't think we make this type of accomodation elsewhere in the policy, so I'm
inclined to say no to this part of the change.
--
Chris PeBenito