Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp763240pxb; Wed, 16 Feb 2022 04:01:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJwfcp0XN/8TdmsUXPnWplFIn6/ulxMIhzOc/sgl5WDzbTBzxKDTKmpFG4rKX9AnQYIls+vS X-Received: by 2002:a50:ef10:0:b0:410:b95b:a89b with SMTP id m16-20020a50ef10000000b00410b95ba89bmr2639406eds.146.1645012893185; Wed, 16 Feb 2022 04:01:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645012893; cv=none; d=google.com; s=arc-20160816; b=m/QtxtPM0Tj3u5taNyspu/wQEa1g9SGCfxBCYEe5kNMapXW9pcce6C8bBIlNd9tiIb FvDSDcOqLBMGn40cHqJHIk5H4O0x0Qi7waPp+j99oHqqEnIRx/+Gda7WNyerc3Bfz38R UX59zoC3J401LNpHB/8NUFQcm3ln4BoA3VTtPuAkRZPyOJJiO30u8iLJEk5xQvQfj3+g SZS3sA2Lg7xA4SJG+3DCKzESQnjTu97o0nbHBbPNoiissRXHzzj34AJwyQaaepcSjVOm kDCcjoRwoQJnQC7RgmY3JdGbzWM+pViALnyA0xuaBrlgkbHNXvJC7mLN8kbZYc8GQDya 7oUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=9mbGIfYI8Vdf5bACItAhh2gPG07eznDMDnCgOCWXt5Y=; b=eldzVJC9fG2zOZ5fmwJbo+Bm+rXV7TNYtKcGET+wZo3bFXVFrsERcI/T1Y+dIXYy+C s/vBDfimaDbFmrgwGg2flTCHR/EcKk5RW7KytEB4+U0c0dzFJsVM9cqpR9UC+dmguXvc 1iLvPgXV2xOa61o+KPn7Pq19xnhsK3XldWqicsPNHq39b07J9yS7ZnKGbMKD0lWdXKYY YYM7TH1Vm320qDggEze//eA6UkpjZn6ARbzM/5g23otC53otstVvM3temX/BURd8psvH ulQxDFnAimPesBmfsvL5+a72CRkNey69mxS/TtOz/BLBIfX/N4vp/F15yLz3b7haK1/K o61A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=HNAKqPMc; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a3si25834989ejd.186.2022.02.16.04.01.27; Wed, 16 Feb 2022 04:01:33 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=HNAKqPMc; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232439AbiBPLzM (ORCPT + 22 others); Wed, 16 Feb 2022 06:55:12 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:49342 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231184AbiBPLzM (ORCPT ); Wed, 16 Feb 2022 06:55:12 -0500 Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3935510A7EB for ; Wed, 16 Feb 2022 03:55:00 -0800 (PST) Received: by mail-qk1-x730.google.com with SMTP id n185so1446910qke.5 for ; Wed, 16 Feb 2022 03:55:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=9mbGIfYI8Vdf5bACItAhh2gPG07eznDMDnCgOCWXt5Y=; b=HNAKqPMcFQfNDL26u5sA8So9YsrkR0tvfastT5zfFzRNbWgJzEo8Ep9stpxgWusfmE 0gr0uXV0OV2/KcWJ/47IhjvCOwpqhW8puaWdV9dIYnBxkRvdGCTOvtr0VAUp2hyaMcl6 WUdQCGxA7LezEkD4WHmkA/30BPWV8vlcpqWMw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=9mbGIfYI8Vdf5bACItAhh2gPG07eznDMDnCgOCWXt5Y=; b=JBSc81dJG/WUlsqyicZq31oF32oAD+wlGxc34qknMWPD8BPiqMY6+t0A4m5E/kXxIz doauT9kEEBszLOi97r5i+eyT/JmluzS9Om5jTCr6vvWDEbTk+LZXHqUv9HI5m2TRa4/Y ifQFGW9Kjy8tkSJpxujfuOemwdj96yYVsgvYK7vLMTc30g7fETsw9j6mnCwhx2yF/BGr BvaxTZ7d+D6NP1lpFsKCO4fxPOIY076H/kzbIJtUdUTN6knifi7APkyPBkPKVSN2gCKk on/ggxD6TgDbamUJS24nMLtzBghY08fNdygTacXbMU2DLPMXxA76GBW7KAQqAy+Xsg9j UETg== X-Gm-Message-State: AOAM532HeBDN716J2h2Eac1FCC9yD5kT2g00UNX2zqlw4AeuiQrhVEXT qZnbltSYiugpW24ToEI1XFpcHDLbyISanQ== X-Received: by 2002:a37:4654:0:b0:5f1:914e:5b8b with SMTP id t81-20020a374654000000b005f1914e5b8bmr1009608qka.81.1645012499348; Wed, 16 Feb 2022 03:54:59 -0800 (PST) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id j14sm19867247qko.10.2022.02.16.03.54.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 16 Feb 2022 03:54:58 -0800 (PST) Message-ID: <53ce3b34-2c22-c485-cca4-2cff2ffc942b@ieee.org> Date: Wed, 16 Feb 2022 06:35:58 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH] puppet patch V2 Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/14/22 20:57, Russell Coker wrote: > New Puppet patch improved after feedback from > Daniel Burgener . Now gives write access to > cache files and removes rw access to var_t. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc > =================================================================== > --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc > +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc > @@ -11,6 +11,7 @@ > /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) > /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) > > +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) > /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) > > /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) > Index: refpolicy-2.20220106/policy/modules/admin/puppet.te > =================================================================== > --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te > +++ refpolicy-2.20220106/policy/modules/admin/puppet.te > @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ > type puppet_tmp_t; > files_tmp_file(puppet_tmp_t) > > +type puppet_cache_t; > +files_type(puppet_cache_t) > + > type puppet_var_lib_t; > files_type(puppet_var_lib_t) > > @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var > manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) > can_exec(puppet_t, puppet_var_lib_t) > > +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) > +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) > + > setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) > manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) > files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) > @@ -96,6 +102,7 @@ kernel_read_kernel_sysctls(puppet_t) > kernel_read_net_sysctls(puppet_t) > kernel_read_network_state(puppet_t) > > +corecmd_bin_entry_type(puppet_t) Why are you adding bin_t as an entrypoint here and below? > corecmd_exec_bin(puppet_t) > corecmd_exec_shell(puppet_t) > corecmd_read_all_executables(puppet_t) > @@ -182,8 +189,6 @@ optional_policy(` > ') > > optional_policy(` > - files_rw_var_files(puppet_t) > - > rpm_domtrans(puppet_t) > rpm_manage_db(puppet_t) > rpm_manage_log(puppet_t) > @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi > allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; > append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) > > @@ -287,6 +293,7 @@ kernel_read_system_state(puppetmaster_t) > kernel_read_crypto_sysctls(puppetmaster_t) > kernel_read_kernel_sysctls(puppetmaster_t) > > +corecmd_bin_entry_type(puppetmaster_t) > corecmd_exec_bin(puppetmaster_t) > corecmd_exec_shell(puppetmaster_t) > -- Chris PeBenito