Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5833148pxb;
        Mon, 14 Feb 2022 08:37:57 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxhqWPsOAlWvcQf4tf3NUYG9n4tJgZiLWsRgINPARYXDIndj79JssrWiEbgSD+04ofV0ZqQ
X-Received: by 2002:a17:906:7a1b:: with SMTP id d27mr287318ejo.765.1644856676805;
        Mon, 14 Feb 2022 08:37:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1644856676; cv=none;
        d=google.com; s=arc-20160816;
        b=tnacln4GO7R6Yv0WXUElm8QItV5UaqslcoX/ZLNp02t9qGnVifnDsA4/NSg6pNdoun
         UxL7oOssOAozRmDGsSSf1LdlkconNP2Q9W//tkLqBRlxWLX2Nt0MW5B4GF9AR0UstxTr
         knJu4ZFbRt/Np0GoHiT/0vKZ5tWIMqZJsN25pFiKaJEYCXX1NGZNUr5ajKIINKrc1K4T
         2Gbfp+JfIpJyK6xfiNV1TOHpnUxNOdEXf4+L5WVV8autG0XOPSHatLGYh7n3LdEHIrOt
         wgKJDNW5DiLW2nt6VN1SPU8nwpsGsT+tsxaYI8ncElfn0CcWyDdjcwB76NAUjKaAwfmB
         MXIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=gmPnHMjTvf3zcD71UKlaTFuRiDhiDFkdWbWLKc67SGc=;
        b=kYoV5Qc++YN9KdNAkADq2CXaJcntUEVfKyhO3ZTRBIohFd7IoCcvf9z+b3Qscfyqhv
         tN0eQKkbn/VAos4+3xk2XU6mXDZSjAiFp2ahrhzEHxlOmEOt/ZFIAngITEcR3VFTkKql
         8OhWAAw8fNPIV58Jz5a/LpckEQrWnxjhalFZaO14fj89CPQEaqPlDO6ThpXLWI5qw+oE
         2tJ7FbeVtqz+BPRYIgoHhNQw7bf7ZVVdkkft/R9V/+SOkJE82taO8Q60o0pAvQL+bQB3
         lJvV48DtW6SjaSZMGkamdpggKkMnKm8IIv+bDJ7lTPLpUXHZNsRqGohhm0O30CqX26jZ
         fPmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=hibW8UG6;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k7si4320064edx.278.2022.02.14.08.37.46;
        Mon, 14 Feb 2022 08:37:56 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=hibW8UG6;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234810AbiBMKRh (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 22 others); Sun, 13 Feb 2022 05:17:37 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45360 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229935AbiBMKRg (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 13 Feb 2022 05:17:36 -0500
X-Greylist: delayed 433 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 13 Feb 2022 02:17:30 PST
Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AB965D18A
        for <selinux-refpolicy@vger.kernel.org>; Sun, 13 Feb 2022 02:17:30 -0800 (PST)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 20DF210233
        for <selinux-refpolicy@vger.kernel.org>; Sun, 13 Feb 2022 21:17:28 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1644747448;
        bh=gmPnHMjTvf3zcD71UKlaTFuRiDhiDFkdWbWLKc67SGc=; l=2358;
        h=Date:From:To:Subject:From;
        b=hibW8UG6Y7ih7xv0VPL62pHCFiySP0rIgWXwnStY7O6hhN8wQNBIye+R5tQ/pqf2S
         wVIBFJ+aaiciGxpEBTCuCcJUVEQGt8Q5dbi/msou0kBiU96A5wb0zBkvhHSrgHBF+y
         VYUw4uLIcdwM1s66zWD4n3c5L3z487ML0dBj4oXg=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 967D3172B01E; Sun, 13 Feb 2022 21:17:23 +1100 (AEDT)
Date:   Sun, 13 Feb 2022 21:17:23 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] puppet
Message-ID: <YgjaswEDRfB5r2Mi@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This patch goes most of the way towards making puppet usable.  It got puppet
working for me to the stage where I decided I don't want to use puppet.

I think it's worthy of inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20210203/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
 kernel_read_net_sysctls(puppet_t)
 kernel_read_network_state(puppet_t)
 
+corecmd_bin_entry_type(puppet_t)
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 corecmd_read_all_executables(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
 allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 
@@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
 kernel_read_crypto_sysctls(puppetmaster_t)
 kernel_read_kernel_sysctls(puppetmaster_t)
 
+corecmd_bin_entry_type(puppetmaster_t)
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)