Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp51244pxy; Tue, 20 Apr 2021 20:14:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxG9ZvZOuaHuLRROu60yceALldg6uXrucXeo1j9KIrmp1istvcmP19v34qPNr65XGQxXp0W X-Received: by 2002:a65:4887:: with SMTP id n7mr19770542pgs.14.1618974856927; Tue, 20 Apr 2021 20:14:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618974856; cv=none; d=google.com; s=arc-20160816; b=obweLtRxGyqZWsTvLLnUOlamqcgSJliitQMmL5AHVTORGGX7YPW1aJgep+DQu3zLjJ 0eggHBVMCWdyx/zV9rBurSdcJuAFoGvLzwtqiY6MsU64STxCa0bTSJB8867Du9np1gk5 8R+0XEhjJTdHJabE+6l9G7Y3IJTalVwZFn4NwMxAMOOlCIu3U5D95iSxY3x6Gd8/K5Tt xQiXUmhWld06VJXa3LRrhLBLkyzHNFUGUUTxMF+BfJcUm0quuslYhWXaDTWJj3oM/52a 0Tq/v3Fq+VHot9DesKcll7IwVLhA3/QH6OCJWZUDcyCYW3DyJfIKaI2mhjs2JlIKw/oY QzHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=MoKXC5vIMoLWFYR5lMoQ3hEQLMa4kBRZpjl2dESkX1k=; b=tg0RkQhdu9Z4Ssi4qo0TsZadQA0siyZflfPKE+MRtrEHvDAj7Px3mL2xG+DPQiLL9y 36i9tyyo34q15TZ1xuoaeWevBc4xZ3MbK7VrAjvwEFi9IoRijDEwsMdozBotW6aaAQp6 RFdvu/tYHGOMWHPEaREpHAKbzyjlv4GOa3ospXH3qGLr0nmzRTZ5EJZ3nZTVGx77muwJ C9CJJDlxmt95cUM6p80V1dSCdiuS+Mcr7kngKvI00xE1/jB4ReEkwXPOBPjH5NWt8d6/ q9Kdsipz6hewqKdzgct0CvUCIsufL4f7I8vjn4M6l7sQTtjn2wjIejdOzgKCBDhBAKzM g8Cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=SPETHrRf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u1si1160082pgr.162.2021.04.20.20.14.10; Tue, 20 Apr 2021 20:14:16 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=SPETHrRf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234004AbhDUDGx (ORCPT + 17 others); Tue, 20 Apr 2021 23:06:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233982AbhDUDGx (ORCPT ); Tue, 20 Apr 2021 23:06:53 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB7BFC06174A for ; Tue, 20 Apr 2021 20:06:17 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id D090EFC52 for ; Wed, 21 Apr 2021 13:06:13 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1618974374; bh=MoKXC5vIMoLWFYR5lMoQ3hEQLMa4kBRZpjl2dESkX1k=; l=2834; h=Date:From:To:Subject:From; b=SPETHrRfGLGpxn2YdYTpMT0eF7Am+jP++XOtwoZFvrJ5hFIpQ7PdprbZVZebK0XoW QBLhjD7bdSjWEaNxsppsSfuy9TN3P0TF+dk9dWDsYZm8GCCsgq6dE+8ypQAFQvyVN8 0TFphyxq6kEnKwPIFahvMQH12vsTm/xdbWagsxsg= Received: by xev.coker.com.au (Postfix, from userid 1001) id 06776141CB79; Wed, 21 Apr 2021 13:06:09 +1000 (AEST) Date: Wed, 21 Apr 2021 13:06:08 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] puppet changes Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I've just briefly tried setting up puppet and here are some policy changes. The label of the /var/cache/puppet directory doesn't have policy because I didn't get to the stage of it being used (contributions welcome). The corecmd_bin_entry_type() lines are the most important thing as puppet is started by a common command for both server and agent, so we need stuff like the below in systemd service files. [Service] SELinuxContext=system_u:system_r:puppet_t:s0 [Service] SELinuxContext=system_u:system_r:puppetmaster_t:s0 I have some other possible changes for Puppet, if someone who knows it well would like to have a discussion about that. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc @@ -11,6 +11,7 @@ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) Index: refpolicy-2.20210203/policy/modules/admin/puppet.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te +++ refpolicy-2.20210203/policy/modules/admin/puppet.te @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ type puppet_tmp_t; files_tmp_file(puppet_tmp_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t) kernel_read_net_sysctls(puppet_t) kernel_read_network_state(puppet_t) +corecmd_bin_entry_type(puppet_t) corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) corecmd_read_all_executables(puppet_t) @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) kernel_read_kernel_sysctls(puppetmaster_t) +corecmd_bin_entry_type(puppetmaster_t) corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t)