Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp661334pxb; Thu, 17 Feb 2022 11:53:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJyKl6P/xwMf7qMvKZZxtaaUvJ4rDu5CJxLX1x6D1ozorMC8qHVn4d+E/0W9omKay5tcSU0Q X-Received: by 2002:a17:90a:e2cf:b0:1b8:e229:e6c3 with SMTP id fr15-20020a17090ae2cf00b001b8e229e6c3mr4590056pjb.167.1645127623130; Thu, 17 Feb 2022 11:53:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645127623; cv=none; d=google.com; s=arc-20160816; b=Nn9qAG4mOROws+gW6Z+8aSa+HKo4gZMf4qUMKsHN65Uesw42Xt1QSR10MUTdX+GdPs 0uGFG9ugp1MM7/m6Dj0mgDkBknBmLmpk5vdZ9HcEMGbYx98KLG5mm8tSqsZKgjYL0hwU HV2uYAppvIO44vzx4Q6Qe/agWlDVHPE+95mMBqVbDnl0uP1bC3HgccSX8qZWkz8Af3Nw Fk+L78i5zqY16z/zcdhTeO8jlKzheWc2Bft8+3DuhTFaFdq6F/qmKNmeHcwaSo8L1Lto HS18bbkQIZqmyduMMJLD4vSNqFrg+Q4N73azFAAjNcszzXxOaVWYy/lreagWKLDPp8bk 2/yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=nWggKTZE9Z4HpEQQcWfXffw0sy5aNX/1WC184FB1tMY=; b=OhQvIRW2J6/FgfnQqQJf5LNSGGeWJ22gBC3G6cXVJzA8MGGWDIvnWgMQ7Y+vWccn8o SmyF9KDcrpx8BCeljDzl/5x0OdkfqqVhOgYlpKphZG04nFqGo2R/a1MykHwObm/8d6yg va/MPsrnVbVaGb0VecVsGYVSQLPJqtpzacgU1k0v5aQbwD9e5e1Ez3Ak46RHVq25WjZB v6YX+KnsibsQvBsQRqpQeyKV+Bj2BzLSwxsPSzU2p9ZSnHeYG5Amzo4f5H07O00LoI/0 hsKlBcpfzjxWggLB7YcVtZgC8483BnKtbFMZgqlhYdc8785/m7KlSeu1duydu6MX+WMK rjFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=XgeNIotd; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c11si10365132pls.456.2022.02.17.11.53.37; Thu, 17 Feb 2022 11:53:43 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=XgeNIotd; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236184AbiBQOqC (ORCPT + 22 others); Thu, 17 Feb 2022 09:46:02 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:53862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239810AbiBQOqB (ORCPT ); Thu, 17 Feb 2022 09:46:01 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE7542B1ABD for ; Thu, 17 Feb 2022 06:45:45 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id BB0C9F004 for ; Fri, 18 Feb 2022 01:45:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1645109143; bh=nWggKTZE9Z4HpEQQcWfXffw0sy5aNX/1WC184FB1tMY=; l=2432; h=Date:From:To:Subject:From; b=XgeNIotdaBRl7NNd1xx2bExZoq0e67XFaTRCk4QWftUHYslM3PvOUQbbaXrlzSwNF xM7JmpLDkJbUuWVe1sj5MJjyOMGHPPZMD7X/aQizuwGBtXb5MsGX1ynUF6cRG6sWUI Xf/yNROov5I//1Oh7TeJUWC9Q3MsiNPSeIMEQmLU= Received: by xev.coker.com.au (Postfix, from userid 1001) id 486B41734EFC; Fri, 18 Feb 2022 01:45:38 +1100 (AEDT) Date: Fri, 18 Feb 2022 01:45:38 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] puppet V3 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Removed the entrypoint stuff that was controversial, the rest should be fine. I think it's ready to merge. Signed-off-by: Russell Coker Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc =================================================================== --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc @@ -11,6 +11,7 @@ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) Index: refpolicy-2.20220106/policy/modules/admin/puppet.te =================================================================== --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te +++ refpolicy-2.20220106/policy/modules/admin/puppet.te @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ type puppet_tmp_t; files_tmp_file(puppet_tmp_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) can_exec(puppet_t, puppet_var_lib_t) +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) + setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) @@ -182,8 +189,6 @@ optional_policy(` ') optional_policy(` - files_rw_var_files(puppet_t) - rpm_domtrans(puppet_t) rpm_manage_db(puppet_t) rpm_manage_log(puppet_t) @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })