Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5992950pxb; Mon, 14 Feb 2022 12:36:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJzdl9bUQdzvcSkDLdEMX4PgSj+8T4SuQj8vxkmMJSF3s78nuSCebfPJ/cbAJYh7xaPPIjc/ X-Received: by 2002:a63:555b:: with SMTP id f27mr678574pgm.468.1644871008006; Mon, 14 Feb 2022 12:36:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644871008; cv=none; d=google.com; s=arc-20160816; b=vNUmypKQFn8J0HW3ydSd6C+GyNpMZe5VOr2+SA+0kY/R48eHkLA+0APRUMPqipt5di 4dXVdIIZWpKc8embAq4PVTj4auLQfw8eV/YCClhqKGwZ7rIyxgKB9WaKqrA1zZU59wS+ C27lZ4N827zTEJHgB6Ajkayaxt8dKVOIBDOaS/3LwA6WilkTIKEjiWv6HkycqHHAK+ye PUKOfc0avYkdYUyGWDJuLcqdsuZZC6+BRz//I26ahtP7D3hgXvL4RD2h8f0S82K9yGOc usINRCvXE0fnMJjOCY9sWYI3m9cY8HjHfr8H3pdZE3qm5Cm87oybzkHDDF1gc3D0duX/ Wvjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=4ArDicIZj/NboqYaLo58A2hXtoooMCauG6HZGIxQP/4=; b=0VqiA1vJU2Z6LX8r6KLfbpmID/Lf/DSVMwfYfViLPcxJyI2qb7gn5OdhkRsabfi+5W UkjXr6kR2AMPyinXjxSaGgywAhZ6/CE/K2jT+nmzfNOMPmZS3hU9B5kx0BFBGS3N0tre MamP5m5QYdyT/1nAAcjVd+CvoKSbz7YFRevpDILDfAW5PoqCjxYyPF1wlo7Y5FI63ZB9 QdTrhEFeg2Y5Mm9zxouog7ht/nn3DpKiZj98BBL/BtSU8cfnFvwo0g3RvLHisRfy9jmc WjhdMHnJL8ZK5e8pceKHGQK7I1SmuIFNlzBRPnkrUBlPMqBdHZlfm+4kSbQUGdjEXhVl GvHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Al6ldfPv; spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id z7si737960pgu.763.2022.02.14.12.36.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 12:36:47 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Al6ldfPv; spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AC24C1A76FF; Mon, 14 Feb 2022 12:06:04 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346809AbiBNPx1 (ORCPT + 22 others); Mon, 14 Feb 2022 10:53:27 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:44274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355993AbiBNPxY (ORCPT ); Mon, 14 Feb 2022 10:53:24 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B420A4927A for ; Mon, 14 Feb 2022 07:53:16 -0800 (PST) Received: from [192.168.1.10] (pool-173-66-191-184.washdc.fios.verizon.net [173.66.191.184]) by linux.microsoft.com (Postfix) with ESMTPSA id EEF3E20B96FA; Mon, 14 Feb 2022 07:53:15 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com EEF3E20B96FA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1644853996; bh=4ArDicIZj/NboqYaLo58A2hXtoooMCauG6HZGIxQP/4=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Al6ldfPviTfsOToimi6UqlqYA4Ti188fjuvrCbuKMIKg82iJ74cFa7NBxQp/Ylek7 ChhJAOF3YomIdwa8qY0ZkvqoZn5WBUQ/UfiZEkvAvzvuFJuLO211HhVMzxGSnyMTLF Yg4ntS2DwIvwMqGfQA2mF+W/bicm5wMyQ4iNJZRM= Message-ID: <764d53e9-75d3-dc01-82e0-3b889265e582@linux.microsoft.com> Date: Mon, 14 Feb 2022 10:53:11 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Subject: Re: [PATCH] puppet Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Daniel Burgener In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/13/2022 5:17 AM, Russell Coker wrote: > This patch goes most of the way towards making puppet usable. It got puppet > working for me to the stage where I decided I don't want to use puppet. > > I think it's worthy of inclusion. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc > +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc > @@ -11,6 +11,7 @@ > /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) > /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) > > +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) > /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) > > /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) > Index: refpolicy-2.20210203/policy/modules/admin/puppet.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te > +++ refpolicy-2.20210203/policy/modules/admin/puppet.te > @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ > type puppet_tmp_t; > files_tmp_file(puppet_tmp_t) > > +type puppet_cache_t; > +files_type(puppet_cache_t) > + It looks to me like there are no rules added here. If I understand everything right, under the current puppet policy, /var/cache/puppet/* was labeled var_t, and I see that the current policy has files_rw_var_files(puppet_t) in an optional block on line 185. That makes me suspect that this line could be changed to rw puppet_cache_t. That would likely keep this patch from reducing puppet functionality in scenarios where it needs the cache, and also avoid the (presumably excessive) var_t access it has now. I'm no puppet expert, so maybe this is all off base, but it feels weird to add this type, but add no rules for it and it seems like puppet should probably be able to use its cache files. -Daniel > type puppet_var_lib_t; > files_type(puppet_var_lib_t) > > @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t) > kernel_read_net_sysctls(puppet_t) > kernel_read_network_state(puppet_t) > > +corecmd_bin_entry_type(puppet_t) > corecmd_exec_bin(puppet_t) > corecmd_exec_shell(puppet_t) > corecmd_read_all_executables(puppet_t) > @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi > allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; > append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) > > @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t) > kernel_read_crypto_sysctls(puppetmaster_t) > kernel_read_kernel_sysctls(puppetmaster_t) > > +corecmd_bin_entry_type(puppetmaster_t) > corecmd_exec_bin(puppetmaster_t) > corecmd_exec_shell(puppetmaster_t) >