Received-SPF: softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Message-ID: <764d53e9-75d3-dc01-82e0-3b889265e582@linux.microsoft.com>
Date:   Mon, 14 Feb 2022 10:53:11 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.1
Subject: Re: [PATCH] puppet
Content-Language: en-US
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YgjaswEDRfB5r2Mi@xev.coker.com.au>
From:   Daniel Burgener <dburgener@linux.microsoft.com>
In-Reply-To: <YgjaswEDRfB5r2Mi@xev.coker.com.au>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk

On 2/13/2022 5:17 AM, Russell Coker wrote:
> This patch goes most of the way towards making puppet usable.  It got puppet
> working for me to the stage where I decided I don't want to use puppet.
> 
> I think it's worthy of inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
>   /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
>   /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>   
> +/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
>   /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
>   
>   /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
>   type puppet_tmp_t;
>   files_tmp_file(puppet_tmp_t)
>   
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +

It looks to me like there are no rules added here.  If I understand 
everything right, under the current puppet policy, /var/cache/puppet/* 
was labeled var_t, and I see that the current policy has 
files_rw_var_files(puppet_t) in an optional block on line 185.  That 
makes me suspect that this line could be changed to rw puppet_cache_t. 
That would likely keep this patch from reducing puppet functionality in 
scenarios where it needs the cache, and also avoid the (presumably 
excessive) var_t access it has now.

I'm no puppet expert, so maybe this is all off base, but it feels weird 
to add this type, but add no rules for it and it seems like puppet 
should probably be able to use its cache files.

-Daniel

>   type puppet_var_lib_t;
>   files_type(puppet_var_lib_t)
>   
> @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
>   kernel_read_net_sysctls(puppet_t)
>   kernel_read_network_state(puppet_t)
>   
> +corecmd_bin_entry_type(puppet_t)
>   corecmd_exec_bin(puppet_t)
>   corecmd_exec_shell(puppet_t)
>   corecmd_read_all_executables(puppet_t)
> @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
>   allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
>   append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>   
> @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
>   kernel_read_crypto_sysctls(puppetmaster_t)
>   kernel_read_kernel_sysctls(puppetmaster_t)
>   
> +corecmd_bin_entry_type(puppetmaster_t)
>   corecmd_exec_bin(puppetmaster_t)
>   corecmd_exec_shell(puppetmaster_t)
>