Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5833148pxb; Mon, 14 Feb 2022 08:37:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJxhqWPsOAlWvcQf4tf3NUYG9n4tJgZiLWsRgINPARYXDIndj79JssrWiEbgSD+04ofV0ZqQ X-Received: by 2002:a17:906:7a1b:: with SMTP id d27mr287318ejo.765.1644856676805; Mon, 14 Feb 2022 08:37:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644856676; cv=none; d=google.com; s=arc-20160816; b=tnacln4GO7R6Yv0WXUElm8QItV5UaqslcoX/ZLNp02t9qGnVifnDsA4/NSg6pNdoun UxL7oOssOAozRmDGsSSf1LdlkconNP2Q9W//tkLqBRlxWLX2Nt0MW5B4GF9AR0UstxTr knJu4ZFbRt/Np0GoHiT/0vKZ5tWIMqZJsN25pFiKaJEYCXX1NGZNUr5ajKIINKrc1K4T 2Gbfp+JfIpJyK6xfiNV1TOHpnUxNOdEXf4+L5WVV8autG0XOPSHatLGYh7n3LdEHIrOt wgKJDNW5DiLW2nt6VN1SPU8nwpsGsT+tsxaYI8ncElfn0CcWyDdjcwB76NAUjKaAwfmB MXIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=gmPnHMjTvf3zcD71UKlaTFuRiDhiDFkdWbWLKc67SGc=; b=kYoV5Qc++YN9KdNAkADq2CXaJcntUEVfKyhO3ZTRBIohFd7IoCcvf9z+b3Qscfyqhv tN0eQKkbn/VAos4+3xk2XU6mXDZSjAiFp2ahrhzEHxlOmEOt/ZFIAngITEcR3VFTkKql 8OhWAAw8fNPIV58Jz5a/LpckEQrWnxjhalFZaO14fj89CPQEaqPlDO6ThpXLWI5qw+oE 2tJ7FbeVtqz+BPRYIgoHhNQw7bf7ZVVdkkft/R9V/+SOkJE82taO8Q60o0pAvQL+bQB3 lJvV48DtW6SjaSZMGkamdpggKkMnKm8IIv+bDJ7lTPLpUXHZNsRqGohhm0O30CqX26jZ fPmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=hibW8UG6; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k7si4320064edx.278.2022.02.14.08.37.46; Mon, 14 Feb 2022 08:37:56 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=hibW8UG6; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234810AbiBMKRh (ORCPT + 22 others); Sun, 13 Feb 2022 05:17:37 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229935AbiBMKRg (ORCPT ); Sun, 13 Feb 2022 05:17:36 -0500 X-Greylist: delayed 433 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 13 Feb 2022 02:17:30 PST Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AB965D18A for ; Sun, 13 Feb 2022 02:17:30 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 20DF210233 for ; Sun, 13 Feb 2022 21:17:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1644747448; bh=gmPnHMjTvf3zcD71UKlaTFuRiDhiDFkdWbWLKc67SGc=; l=2358; h=Date:From:To:Subject:From; b=hibW8UG6Y7ih7xv0VPL62pHCFiySP0rIgWXwnStY7O6hhN8wQNBIye+R5tQ/pqf2S wVIBFJ+aaiciGxpEBTCuCcJUVEQGt8Q5dbi/msou0kBiU96A5wb0zBkvhHSrgHBF+y VYUw4uLIcdwM1s66zWD4n3c5L3z487ML0dBj4oXg= Received: by xev.coker.com.au (Postfix, from userid 1001) id 967D3172B01E; Sun, 13 Feb 2022 21:17:23 +1100 (AEDT) Date: Sun, 13 Feb 2022 21:17:23 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] puppet Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch goes most of the way towards making puppet usable. It got puppet working for me to the stage where I decided I don't want to use puppet. I think it's worthy of inclusion. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc @@ -11,6 +11,7 @@ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) Index: refpolicy-2.20210203/policy/modules/admin/puppet.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te +++ refpolicy-2.20210203/policy/modules/admin/puppet.te @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ type puppet_tmp_t; files_tmp_file(puppet_tmp_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t) kernel_read_net_sysctls(puppet_t) kernel_read_network_state(puppet_t) +corecmd_bin_entry_type(puppet_t) corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) corecmd_read_all_executables(puppet_t) @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) kernel_read_kernel_sysctls(puppetmaster_t) +corecmd_bin_entry_type(puppetmaster_t) corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t)