Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp3374807pxb; Sun, 20 Feb 2022 18:02:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFleuNn5SEblq8qF8IR39lZs/6awOM8/xGaT/CmHnvrrPcPVcX2JJa6d1AWORs1uD4LqAW X-Received: by 2002:a17:907:920d:b0:6ce:a6fc:1ad8 with SMTP id ka13-20020a170907920d00b006cea6fc1ad8mr14342052ejb.448.1645408928693; Sun, 20 Feb 2022 18:02:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645408928; cv=none; d=google.com; s=arc-20160816; b=NKYblx0utwmm+DS11M/4x2VItoRnNvm5+0KbQ3KnZxoREPpvDM/CUT5d5lotDDLJ/W l2s4EhymWlwDdF+kInAIAR96g/w1Y5OYYyA5fMWMFXm09kEvM/JSBL8KUq+6bmAa4jAu QPmttxrFSLarzfzeQFfvW8NeBpyuol1fGE5I8B2w+601Ofq8up8ex4dT5WYfpSZEQwBA +vXqIVT7uGc/rE5dC19DeIr2lcs2lbg0XoKvK7oCNrJ3paspAYdjehaTFYcd+R7VWjRg A8XDLNZzxpmg1OCfw/aGO19nleB/mNSb/GS2NpQOVi4iRsXoIYwQXsEU7hGU1TmQRyfo EHZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=SnZU8VXh3w2AiwV8Uc09SEWUGm+vgEpEBZAvrPaRa+Q=; b=PqkYL7fyn2WpDFjuTUwzjJ1XNAaWYKA4Bc6iIuozYGsaov1hyMlCzsMrnAlJqIlLBW tIEdzmwMpyUPj/ErWi4wRBUFKfUyxXICXOD5llIkHFEkFcVO065WYIH1u0Ss9qG+pW/E cLTdMCBLeH2rMLetVHW4CegrdJXa6MisHZO/FmbHNiG2WdnvVQh61NpIxfL+rx3i2Zy6 dW3ng/+YuQKo6FVfNCH2IbYWjknCkV9TfNwvpSnrqFz3kF8a3tOFr8VVvHLcXYHPYegr LVQFVKAy+BJD6TIV+HvSnAjBHGFXVoHSZG897mbeE5Op1exmyF//FckkjCEFq0rVjZPU HKLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=TJ6hkmct; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js21si8815757ejc.102.2022.02.20.18.01.59; Sun, 20 Feb 2022 18:02:08 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=TJ6hkmct; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239406AbiBRSsW (ORCPT + 22 others); Fri, 18 Feb 2022 13:48:22 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:46228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237417AbiBRSsV (ORCPT ); Fri, 18 Feb 2022 13:48:21 -0500 Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1713312AC3 for ; Fri, 18 Feb 2022 10:48:04 -0800 (PST) Received: by mail-qk1-x730.google.com with SMTP id j78so4191358qke.2 for ; Fri, 18 Feb 2022 10:48:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=SnZU8VXh3w2AiwV8Uc09SEWUGm+vgEpEBZAvrPaRa+Q=; b=TJ6hkmct3ufza3LuB+HLs04VtPh8312pwdSlSSWmr55nIC81teSz7dCsZlpkHLi8K4 5mNVrm8rCgN9HWgUpf23t6o53BKH0HdMORIgr8Z0wmUw2ke4dRtQQ2P2WSNi+crPvTVr AGkHPQbjzj1ELta+YxbZgtOTdEE4c/0dnDMIM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=SnZU8VXh3w2AiwV8Uc09SEWUGm+vgEpEBZAvrPaRa+Q=; b=d7WYPhEH8iltxLB9df2oFOMIjQ+JcbPqeQFicZY3edLb5fnmVuHo9dQZX+hK5unG87 e97vWiLj4y8/SkL+VhPgjKQsZZpyGQ2IdVEzynu9H7fLWtyQvzzdtw1nUJEpyeYyAqTk /8ncGZqmfVeMvbRfU9skSZ5CVN29SGP5iUgxSK+5CGAC52GrEEAj5BToU01gM+FXf7CQ v4TknyZH242q1PLkQUIEE8x5Low3T1UOPUW6C5H2IFIEQrvOZR4dgwFkUk6cNsE5o0VL nblHs1aUr4YamCk/zQdKjL9jo8SYaTaGItEi35q9wxuwH0SqDvu21HXLuSHpYdUEET24 mYTg== X-Gm-Message-State: AOAM5305m3h+tTk1d9Z4RRUc2NuQ33WF6ehTvqQ3f0tGNAM1ZBUZG1ws xVrNncRi1zxWx9qIR0NCx+ts/rvyoSo3nA== X-Received: by 2002:a05:620a:4592:b0:467:c74f:2385 with SMTP id bp18-20020a05620a459200b00467c74f2385mr5410960qkb.403.1645210083235; Fri, 18 Feb 2022 10:48:03 -0800 (PST) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id m1sm372987qkn.19.2022.02.18.10.48.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 18 Feb 2022 10:48:02 -0800 (PST) Message-ID: Date: Fri, 18 Feb 2022 13:14:12 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH] puppet V3 Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/17/22 09:45, Russell Coker wrote: > Removed the entrypoint stuff that was controversial, the rest should be fine. > > I think it's ready to merge. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc > =================================================================== > --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc > +++ refpolicy-2.20220106/policy/modules/admin/puppet.fc > @@ -11,6 +11,7 @@ > /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) > /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) > > +/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0) > /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) > > /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) > Index: refpolicy-2.20220106/policy/modules/admin/puppet.te > =================================================================== > --- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te > +++ refpolicy-2.20220106/policy/modules/admin/puppet.te > @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_ > type puppet_tmp_t; > files_tmp_file(puppet_tmp_t) > > +type puppet_cache_t; > +files_type(puppet_cache_t) > + > type puppet_var_lib_t; > files_type(puppet_var_lib_t) > > @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var > manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) > can_exec(puppet_t, puppet_var_lib_t) > > +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) > +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) > + > setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) > manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) > files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) > @@ -182,8 +189,6 @@ optional_policy(` > ') > > optional_policy(` > - files_rw_var_files(puppet_t) > - > rpm_domtrans(puppet_t) > rpm_manage_db(puppet_t) > rpm_manage_log(puppet_t) > @@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi > allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; > append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) > logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) Merged. -- Chris PeBenito