Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Subject: Re: [PATCH] puppet changes
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YH+WoL5Nsv6KCvK0@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <04c6e5fa-1fd4-af32-1bee-5d6789934137@ieee.org>
Date:   Mon, 26 Apr 2021 08:52:56 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <YH+WoL5Nsv6KCvK0@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk

On 4/20/21 11:06 PM, Russell Coker wrote:
> I've just briefly tried setting up puppet and here are some policy changes.
> The label of the /var/cache/puppet directory doesn't have policy because I
> didn't get to the stage of it being used (contributions welcome).
> 
> The corecmd_bin_entry_type() lines are the most important thing as puppet
> is started by a common command for both server and agent, so we need stuff


Why isn't this executable labeled with puppet_exec_t?  Am I missing something?


> like the below in systemd service files.
> 
> [Service]
> SELinuxContext=system_u:system_r:puppet_t:s0
> 
> [Service]
> SELinuxContext=system_u:system_r:puppetmaster_t:s0
> 
> I have some other possible changes for Puppet, if someone who knows it well
> would like to have a discussion about that.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
>   /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
>   /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>   
> +/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
>   /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
>   
>   /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
>   type puppet_tmp_t;
>   files_tmp_file(puppet_tmp_t)
>   
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +
>   type puppet_var_lib_t;
>   files_type(puppet_var_lib_t)
>   
> @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
>   kernel_read_net_sysctls(puppet_t)
>   kernel_read_network_state(puppet_t)
>   
> +corecmd_bin_entry_type(puppet_t)
>   corecmd_exec_bin(puppet_t)
>   corecmd_exec_shell(puppet_t)
>   corecmd_read_all_executables(puppet_t)
> @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
>   allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
>   append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>   
> @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
>   kernel_read_crypto_sysctls(puppetmaster_t)
>   kernel_read_kernel_sysctls(puppetmaster_t)
>   
> +corecmd_bin_entry_type(puppetmaster_t)
>   corecmd_exec_bin(puppetmaster_t)
>   corecmd_exec_shell(puppetmaster_t)
>   
> 


-- 
Chris PeBenito