2022-02-14 16:37:57

by Russell Coker

[permalink] [raw]
Subject: [PATCH] puppet

This patch goes most of the way towards making puppet usable. It got puppet
working for me to the stage where I decided I don't want to use puppet.

I think it's worthy of inclusion.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)

+/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)

/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20210203/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)

+type puppet_cache_t;
+files_type(puppet_cache_t)
+
type puppet_var_lib_t;
files_type(puppet_var_lib_t)

@@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
kernel_read_net_sysctls(puppet_t)
kernel_read_network_state(puppet_t)

+corecmd_bin_entry_type(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
corecmd_read_all_executables(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })

@@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
kernel_read_kernel_sysctls(puppetmaster_t)

+corecmd_bin_entry_type(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)


2022-02-14 20:36:48

by Daniel Burgener

[permalink] [raw]
Subject: Re: [PATCH] puppet

On 2/13/2022 5:17 AM, Russell Coker wrote:
> This patch goes most of the way towards making puppet usable. It got puppet
> working for me to the stage where I decided I don't want to use puppet.
>
> I think it's worthy of inclusion.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
> /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>
> +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
> /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
>
> /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
> type puppet_tmp_t;
> files_tmp_file(puppet_tmp_t)
>
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +

It looks to me like there are no rules added here. If I understand
everything right, under the current puppet policy, /var/cache/puppet/*
was labeled var_t, and I see that the current policy has
files_rw_var_files(puppet_t) in an optional block on line 185. That
makes me suspect that this line could be changed to rw puppet_cache_t.
That would likely keep this patch from reducing puppet functionality in
scenarios where it needs the cache, and also avoid the (presumably
excessive) var_t access it has now.

I'm no puppet expert, so maybe this is all off base, but it feels weird
to add this type, but add no rules for it and it seems like puppet
should probably be able to use its cache files.

-Daniel

> type puppet_var_lib_t;
> files_type(puppet_var_lib_t)
>
> @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
> kernel_read_net_sysctls(puppet_t)
> kernel_read_network_state(puppet_t)
>
> +corecmd_bin_entry_type(puppet_t)
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
> corecmd_read_all_executables(puppet_t)
> @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
> allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
> append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>
> @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
> kernel_read_crypto_sysctls(puppetmaster_t)
> kernel_read_kernel_sysctls(puppetmaster_t)
>
> +corecmd_bin_entry_type(puppetmaster_t)
> corecmd_exec_bin(puppetmaster_t)
> corecmd_exec_shell(puppetmaster_t)
>