Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp6336944pxb; Mon, 14 Feb 2022 23:25:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxvY4ibi63Nl4m09YQO6wKIEnZoXaywKjVz+DuMNTOIveFheeME/+3wHuitAkV87SEYzbV8 X-Received: by 2002:a63:4752:: with SMTP id w18mr2411029pgk.349.1644909955404; Mon, 14 Feb 2022 23:25:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644909955; cv=none; d=google.com; s=arc-20160816; b=hRFiLerm03Qq9+r8suRFVLbnsTOhqLHEbj9FJZU9YS1pHrVTtVjBjwUzOqiXq8obox Bvz+aJWue/JMenaxG0HnZIBaJ063Yk1MlLvMIyxvPKG7rjD3qeDUzqk0yw+rA/UGR9XU 9VKcrqy142fArA1DFWKR2LmCmO7TmOp7HHLa4yOTxsFKSn9XkZT2HDMNrCSQHOVTpfVr 2Ed/GoEUVUrc3Cop0Y/+SlJmtB9C9mwQADPYjFhhy5O2rqXjwDZobkH3YoJMDDJDOUqE RToiUiJAyWWynZ0GZkxF0Wqh7Z72CIAQkGFQW4+FNOW+RnYbBfmVRP2EZfZWjBdWkICv PGpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=B1Mu8CX6XBCztTV8QwqUnJyXehNzfqvyZYPvYcdT5oI=; b=XdXwUfNQLvYkrBMdIArWSMjJsq8E0UXygRqlBEP18CEA7fCiEY9fhELrP8Qkpx7U5R tHjixxEUAFWb2y1jMHcc5CVUk1S/CXo7yGi4e0D9SmQkkeDD6JIYh4HDiwV1AYd6KvXO GPoQUe0drItMU4+AP6b4REuL94qTuxSPUdgVqfVD2GnfGQNhT9mTIBALVYTjFtHMd17o Rie1+Qnpp4nh5dbY5fg++dHyWkRi1KK13IoSW6VAgY/ej6hf0WPCFdPUeJ+IDsNrjDf+ bIVfcxvmXK5U5kYfY8c88w5+roK/TxXMLXsUJj5e7Evptx2F+jjVOaIJcnh9xCgTR100 BYrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=i6uBy0NO; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z11si31319339pfh.44.2022.02.14.23.25.51; Mon, 14 Feb 2022 23:25:55 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=i6uBy0NO; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233283AbiBOCBO (ORCPT + 22 others); Mon, 14 Feb 2022 21:01:14 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:42818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233320AbiBOB7M (ORCPT ); Mon, 14 Feb 2022 20:59:12 -0500 X-Greylist: delayed 143244 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 14 Feb 2022 17:57:43 PST Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94FCA145AC6 for ; Mon, 14 Feb 2022 17:57:43 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id E7778F21E for ; Tue, 15 Feb 2022 12:57:39 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1644890260; bh=B1Mu8CX6XBCztTV8QwqUnJyXehNzfqvyZYPvYcdT5oI=; l=3027; h=Date:From:To:Subject:From; b=i6uBy0NOk8/REPc34U8f/KbYE3mXT+aj4/D3VRqBqQGuCBn6Dhtrm4auOa18GNia3 xkmJ3xdp4XPXfyF72f8RJ0FXdha1QKssLk7RqCQSVL3nXwGBK8Dbq9wu+Kln9g2sYD +UO7NrwN/DTuSu8Bs+Ku2Jv5L6Oi2Ffi3RLB2YZY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 70C05172E44B; Tue, 15 Feb 2022 12:57:35 +1100 (AEDT) Date: Tue, 15 Feb 2022 12:57:35 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] puppet patch V2 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org New Puppet patch improved after feedback from Daniel Burgener . Now gives write access to cache files and removes rw access to var_t. Signed-off-by: Russell Coker Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc =================================================================== --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc @@ -11,6 +11,7 @@ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) Index: refpolicy-2.20220106/policy/modules/admin/puppet.te =================================================================== --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te +++ refpolicy-2.20220106/policy/modules/admin/puppet.te @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ type puppet_tmp_t; files_tmp_file(puppet_tmp_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) can_exec(puppet_t, puppet_var_lib_t) +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) + setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) @@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t) kernel_read_net_sysctls(puppet_t) kernel_read_network_state(puppet_t) +corecmd_bin_entry_type(puppet_t) corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) corecmd_read_all_executables(puppet_t) @@ -182,8 +189,6 @@ optional_policy(` ') optional_policy(` - files_rw_var_files(puppet_t) - rpm_domtrans(puppet_t) rpm_manage_db(puppet_t) rpm_manage_log(puppet_t) @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) @@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) kernel_read_kernel_sysctls(puppetmaster_t) +corecmd_bin_entry_type(puppetmaster_t) corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t)