Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 15 Feb 2022 12:57:35 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] puppet patch V2
Message-ID: <YgsIj5n4TxELgB3u@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

New Puppet patch improved after feedback from
Daniel Burgener <dburgener@linux.microsoft.com>.  Now gives write access to
cache files and removes rw access to var_t.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20220106/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20220106/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20220106/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 can_exec(puppet_t, puppet_var_lib_t)
 
+manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+
 setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
@@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t)
 kernel_read_net_sysctls(puppet_t)
 kernel_read_network_state(puppet_t)
 
+corecmd_bin_entry_type(puppet_t)
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 corecmd_read_all_executables(puppet_t)
@@ -182,8 +189,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	files_rw_var_files(puppet_t)
-
 	rpm_domtrans(puppet_t)
 	rpm_manage_db(puppet_t)
 	rpm_manage_log(puppet_t)
@@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
 allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 
@@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t)
 kernel_read_crypto_sysctls(puppetmaster_t)
 kernel_read_kernel_sysctls(puppetmaster_t)
 
+corecmd_bin_entry_type(puppetmaster_t)
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)