Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <53ce3b34-2c22-c485-cca4-2cff2ffc942b@ieee.org>
Date:   Wed, 16 Feb 2022 06:35:58 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.0
Subject: Re: [PATCH] puppet patch V2
Content-Language: en-US
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <YgsIj5n4TxELgB3u@xev.coker.com.au>
From:   Chris PeBenito <pebenito@ieee.org>
In-Reply-To: <YgsIj5n4TxELgB3u@xev.coker.com.au>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk

On 2/14/22 20:57, Russell Coker wrote:
> New Puppet patch improved after feedback from
> Daniel Burgener <dburgener@linux.microsoft.com>.  Now gives write access to
> cache files and removes rw access to var_t.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
>   /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
>   /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>   
> +/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
>   /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
>   
>   /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20220106/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20220106/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
>   type puppet_tmp_t;
>   files_tmp_file(puppet_tmp_t)
>   
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +
>   type puppet_var_lib_t;
>   files_type(puppet_var_lib_t)
>   
> @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var
>   manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
>   can_exec(puppet_t, puppet_var_lib_t)
>   
> +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
> +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
> +
>   setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
>   manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
>   files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
> @@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t)
>   kernel_read_net_sysctls(puppet_t)
>   kernel_read_network_state(puppet_t)
>   
> +corecmd_bin_entry_type(puppet_t)

Why are you adding bin_t as an entrypoint here and below?


>   corecmd_exec_bin(puppet_t)
>   corecmd_exec_shell(puppet_t)
>   corecmd_read_all_executables(puppet_t)
> @@ -182,8 +189,6 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	files_rw_var_files(puppet_t)
> -
>   	rpm_domtrans(puppet_t)
>   	rpm_manage_db(puppet_t)
>   	rpm_manage_log(puppet_t)
> @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
>   allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
>   append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>   
> @@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t)
>   kernel_read_crypto_sysctls(puppetmaster_t)
>   kernel_read_kernel_sysctls(puppetmaster_t)
>   
> +corecmd_bin_entry_type(puppetmaster_t)
>   corecmd_exec_bin(puppetmaster_t)
>   corecmd_exec_shell(puppetmaster_t)
>   


-- 
Chris PeBenito