From: Craig Grube <[email protected]>
Signed-off-by: Craig Grube <[email protected]>
---
policy/modules/admin/usermanage.te | 8 +
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/kernel/files.if | 118 ++++++++++++++
policy/modules/kernel/files.te | 1 +
policy/modules/services/puppet.fc | 13 ++
policy/modules/services/puppet.if | 32 ++++
policy/modules/services/puppet.te | 260 +++++++++++++++++++++++++++++++
policy/modules/system/init.if | 19 +++
policy/modules/system/init.te | 4 +
policy/modules/system/libraries.te | 4 +
10 files changed, 460 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/puppet.fc
create mode 100644 policy/modules/services/puppet.if
create mode 100644 policy/modules/services/puppet.te
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1865872..d6423c8 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -247,6 +247,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')
+optional_policy(`
+ puppet_rw_tmp(groupadd_t)
+')
+
########################################
#
# Passwd local policy
@@ -524,3 +528,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+
+optional_policy(`
+ puppet_rw_tmp(useradd_t)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c62a95e..85a5fcf 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
+network_port(puppet, tcp, 8140, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 87442ec..8881333 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -110,7 +110,11 @@ interface(`files_pid_file',`
## </param>
#
interface(`files_config_file',`
+ gen_require(`
+ attribute configfile;
+ ')
files_type($1)
+ typeattribute $1 configfile;
')
########################################
@@ -997,6 +1001,83 @@ interface(`files_manage_all_files',`
files_manage_kernel_modules($1)
')
+###########################################
+## <summary>
+## Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_files_pattern($1, configfile, configfile)
+')
+
+#############################################
+## <summary>
+## Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_dirs_pattern($1, configfile, configfile)
+')
+
+
+#######################################
+## <summary>
+## Relabel configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_files_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+## Relabel configuration directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Type of domain performing this action
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_dirs_pattern($1, configfile, configfile)
+')
+
########################################
## <summary>
## Search the contents of all directories on
@@ -1993,6 +2074,25 @@ interface(`files_manage_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t)
')
+##########################################
+## <summary>
+## Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_dirs_pattern($1, etc_t, etc_t)
+')
+
########################################
## <summary>
## Delete system configuration files in /etc.
@@ -4222,6 +4322,24 @@ interface(`files_list_var_lib',`
list_dirs_pattern($1, var_t, var_lib_t)
')
+###########################################
+## <summary>
+## Read-write /var/lib directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_lib_dirs',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
########################################
## <summary>
## Create objects in the /var/lib directory
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 3ae897d..e970d85 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
+attribute configfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
new file mode 100644
index 0000000..8cc04c3
--- /dev/null
+++ b/policy/modules/services/puppet.fc
@@ -0,0 +1,13 @@
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
+
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
+
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
+
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
+
+
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
new file mode 100644
index 0000000..ad75def
--- /dev/null
+++ b/policy/modules/services/puppet.if
@@ -0,0 +1,32 @@
+## <summary>Puppet client daemon</summary>
+## <desc>
+## <p>
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+## </p>
+## </desc>
+
+################################################
+## <summary>
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+##
+#
+interface(`puppet_rw_tmp', `
+ gen_require(`
+ type puppet_tmp_t;
+ ')
+
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
new file mode 100644
index 0000000..2336da4
--- /dev/null
+++ b/policy/modules/services/puppet.te
@@ -0,0 +1,260 @@
+
+policy_module(puppet, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
+
+########################################
+#
+# Puppet personal declarations
+#
+
+type puppet_t;
+type puppet_exec_t;
+init_daemon_domain(puppet_t, puppet_exec_t)
+
+type puppet_initrc_exec_t;
+init_script_file(puppet_initrc_exec_t);
+
+type puppet_log_t;
+logging_log_file(puppet_log_t)
+
+type puppet_var_lib_t;
+files_type(puppet_var_lib_t)
+
+type puppet_var_run_t;
+files_pid_file(puppet_var_run_t)
+
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
+########################################
+#
+# Pupper master personal declarations
+#
+
+type puppetmaster_t;
+type puppetmaster_exec_t;
+init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+
+type puppetmasterd_initrc_exec_t;
+init_script_file(puppetmasterd_initrc_exec_t)
+
+type puppetmaster_tmp_t;
+files_tmp_file(puppetmaster_tmp_t)
+
+########################################
+#
+# Puppet personal policy
+#
+
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:fifo_file rw_fifo_file_perms;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:tcp_socket create_stream_socket_perms;
+allow puppet_t self:udp_socket create_socket_perms;
+
+search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+
+setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+corenet_sendrecv_puppet_client_packets(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+
+corenet_tcp_bind_generic_node(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
+
+dev_read_rand(puppet_t)
+dev_read_sysfs(puppet_t)
+dev_read_urand(puppet_t)
+
+domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
+
+files_manage_config_files(puppet_t)
+files_manage_config_dirs(puppet_t)
+files_manage_etc_dirs(puppet_t)
+files_manage_etc_files(puppet_t)
+files_read_usr_symlinks(puppet_t)
+files_relabel_config_dirs(puppet_t)
+files_relabel_config_files(puppet_t)
+files_search_default(puppet_t)
+files_search_var_lib(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+seutil_domtrans_setfiles(puppet_t)
+seutil_domtrans_semanage(puppet_t)
+
+sysnet_dns_name_resolve(puppet_t)
+sysnet_run_ifconfig(puppet_t, system_r)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_user_ttys(puppet_t)
+
+tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(puppet_t)
+')
+
+optional_policy(`
+ hostname_exec(puppet_t)
+')
+
+optional_policy(`
+ files_rw_var_files(puppet_t)
+ files_var_lib_filetrans(puppet_t, var_lib_t, dir)
+
+ rpm_domtrans(puppet_t)
+ rpm_manage_db(puppet_t)
+ rpm_manage_log(puppet_t)
+')
+
+optional_policy(`
+ unconfined_domain(puppet_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(puppet_t)
+ usermanage_domtrans_useradd(puppet_t)
+')
+
+
+########################################
+#
+# Pupper master personal policy
+#
+
+allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
+
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+
+rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+
+corenet_all_recvfrom_netlabel(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+
+corenet_tcp_bind_generic_node(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
+
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
+
+dev_read_rand(puppetmaster_t)
+dev_read_urand(puppetmaster_t)
+
+domain_read_all_domains_state(puppetmaster_t)
+
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+
+logging_send_syslog_msg(puppetmaster_t)
+
+miscfiles_read_localization(puppetmaster_t)
+
+sysnet_dns_name_resolve(puppetmaster_t)
+sysnet_run_ifconfig(puppetmaster_t, system_r)
+
+optional_policy(`
+ hostname_exec(puppetmaster_t)
+')
+
+optional_policy(`
+ files_read_usr_symlinks(puppetmaster_t)
+
+ rpm_exec(puppetmaster_t)
+ rpm_read_db(puppetmaster_t)
+')
+
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7637333..a5a3adb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
files_search_etc($1)
')
+#########################################
+## <summary>
+## Transition to the init script domain
+## for all labeled init script types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#########################################
+interface(`init_all_labeled_script_domtrans',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ init_labeled_script_domtrans($1, init_script_file_type)
+')
+
########################################
## <summary>
## Start and stop daemon programs directly.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index efe5277..1ff0596 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -688,6 +688,10 @@ optional_policy(`
')
optional_policy(`
+ puppet_rw_tmp(initrc_t)
+')
+
+optional_policy(`
quota_manage_flags(initrc_t)
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0c4f4ba..8005fb6 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -123,3 +123,7 @@ optional_policy(`
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
')
+
+optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+')
--
1.6.2.5
On Mon, 2009-11-09 at 17:54 -0500, craig.grube at cobham.com wrote:
> From: Craig Grube <[email protected]>
Merged. I did some additional cleanups on whitespace and ordering.
Also dropped the d from puppetmasterd_initrc_exec_t.
> Signed-off-by: Craig Grube <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 8 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/kernel/files.if | 118 ++++++++++++++
> policy/modules/kernel/files.te | 1 +
> policy/modules/services/puppet.fc | 13 ++
> policy/modules/services/puppet.if | 32 ++++
> policy/modules/services/puppet.te | 260 +++++++++++++++++++++++++++++++
> policy/modules/system/init.if | 19 +++
> policy/modules/system/init.te | 4 +
> policy/modules/system/libraries.te | 4 +
> 10 files changed, 460 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..d6423c8 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_rw_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> @@ -524,3 +528,7 @@ optional_policy(`
> rpm_use_fds(useradd_t)
> rpm_rw_pipes(useradd_t)
> ')
> +
> +optional_policy(`
> + puppet_rw_tmp(useradd_t)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index c62a95e..85a5fcf 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 87442ec..8881333 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -110,7 +110,11 @@ interface(`files_pid_file',`
> ## </param>
> #
> interface(`files_config_file',`
> + gen_require(`
> + attribute configfile;
> + ')
> files_type($1)
> + typeattribute $1 configfile;
> ')
>
> ########################################
> @@ -997,6 +1001,83 @@ interface(`files_manage_all_files',`
> files_manage_kernel_modules($1)
> ')
>
> +###########################################
> +## <summary>
> +## Manage all configuration files on filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of domain performing this action
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`files_manage_config_files',`
> + gen_require(`
> + attribute configfile;
> + ')
> +
> + manage_files_pattern($1, configfile, configfile)
> +')
> +
> +#############################################
> +## <summary>
> +## Manage all configuration directories on filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of domain performing this action
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`files_manage_config_dirs',`
> + gen_require(`
> + attribute configfile;
> + ')
> +
> + manage_dirs_pattern($1, configfile, configfile)
> +')
> +
> +
> +#######################################
> +## <summary>
> +## Relabel configuration files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type of domain performing this action
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`files_relabel_config_files',`
> + gen_require(`
> + attribute configfile;
> + ')
> +
> + relabel_files_pattern($1, configfile, configfile)
> +')
> +
> +#########################################
> +## <summary>
> +## Relabel configuration directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type of domain performing this action
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`files_relabel_config_dirs',`
> + gen_require(`
> + attribute configfile;
> + ')
> +
> + relabel_dirs_pattern($1, configfile, configfile)
> +')
> +
> ########################################
> ## <summary>
> ## Search the contents of all directories on
> @@ -1993,6 +2074,25 @@ interface(`files_manage_etc_files',`
> read_lnk_files_pattern($1, etc_t, etc_t)
> ')
>
> +##########################################
> +## <summary>
> +## Manage generic directories in /etc
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`files_manage_etc_dirs',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + manage_dirs_pattern($1, etc_t, etc_t)
> +')
> +
> ########################################
> ## <summary>
> ## Delete system configuration files in /etc.
> @@ -4222,6 +4322,24 @@ interface(`files_list_var_lib',`
> list_dirs_pattern($1, var_t, var_lib_t)
> ')
>
> +###########################################
> +## <summary>
> +## Read-write /var/lib directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_rw_var_lib_dirs',`
> + gen_require(`
> + type var_lib_t;
> + ')
> +
> + rw_dirs_pattern($1, var_lib_t, var_lib_t)
> +')
> +
> ########################################
> ## <summary>
> ## Create objects in the /var/lib directory
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 3ae897d..e970d85 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -11,6 +11,7 @@ attribute files_unconfined_type;
> attribute lockfile;
> attribute mountpoint;
> attribute pidfile;
> +attribute configfile;
>
> # For labeling types that are to be polyinstantiated
> attribute polydir;
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..8cc04c3
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,13 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
> +
> +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
> +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
> +
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
> +
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
> +
> +
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..ad75def
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,32 @@
> +## <summary>Puppet client daemon</summary>
> +## <desc>
> +## <p>
> +## Puppet is a configuration management system written in Ruby.
> +## The client daemon is responsible for periodically requesting the
> +## desired system state from the server and ensuring the state of
> +## the client system matches.
> +## </p>
> +## </desc>
> +
> +################################################
> +## <summary>
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`puppet_rw_tmp', `
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> +
> + allow $1 puppet_tmp_t:file rw_file_perms;
> + files_search_tmp($1)
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..2336da4
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,260 @@
> +
> +policy_module(puppet, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow Puppet client to manage all file
> +## types.
> +## </p>
> +## </desc>
> +gen_tunable(puppet_manage_all_files, false)
> +
> +
> +########################################
> +#
> +# Puppet personal declarations
> +#
> +
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t, puppet_exec_t)
> +
> +type puppet_initrc_exec_t;
> +init_script_file(puppet_initrc_exec_t);
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +########################################
> +#
> +# Pupper master personal declarations
> +#
> +
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_tmp_t;
> +files_tmp_file(puppetmaster_tmp_t)
> +
> +########################################
> +#
> +# Puppet personal policy
> +#
> +
> +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +
> +search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> +read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> +
> +manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
> +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> +
> +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
> +
> +create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
> +create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> +append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> +logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
> +
> +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
> +
> +corenet_sendrecv_puppet_client_packets(puppet_t)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corenet_all_recvfrom_netlabel(puppet_t)
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +
> +corenet_tcp_sendrecv_generic_if(puppet_t)
> +corenet_tcp_sendrecv_generic_node(puppet_t)
> +
> +corenet_tcp_bind_generic_node(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +corecmd_exec_shell(puppet_t)
> +
> +dev_read_rand(puppet_t)
> +dev_read_sysfs(puppet_t)
> +dev_read_urand(puppet_t)
> +
> +domain_read_all_domains_state(puppet_t)
> +domain_interactive_fd(puppet_t)
> +
> +files_manage_config_files(puppet_t)
> +files_manage_config_dirs(puppet_t)
> +files_manage_etc_dirs(puppet_t)
> +files_manage_etc_files(puppet_t)
> +files_read_usr_symlinks(puppet_t)
> +files_relabel_config_dirs(puppet_t)
> +files_relabel_config_files(puppet_t)
> +files_search_default(puppet_t)
> +files_search_var_lib(puppet_t)
> +
> +init_all_labeled_script_domtrans(puppet_t)
> +init_domtrans_script(puppet_t)
> +init_read_utmp(puppet_t)
> +init_signull_script(puppet_t)
> +
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +
> +logging_send_syslog_msg(puppet_t)
> +
> +miscfiles_read_hwdata(puppet_t)
> +miscfiles_read_localization(puppet_t)
> +
> +selinux_search_fs(puppet_t)
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +selinux_validate_context(puppet_t)
> +
> +seutil_domtrans_setfiles(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +sysnet_dns_name_resolve(puppet_t)
> +sysnet_run_ifconfig(puppet_t, system_r)
> +
> +term_dontaudit_getattr_unallocated_ttys(puppet_t)
> +term_dontaudit_getattr_all_user_ttys(puppet_t)
> +
> +tunable_policy(`puppet_manage_all_files',`
> + auth_manage_all_files_except_shadow(puppet_t)
> +')
> +
> +optional_policy(`
> + consoletype_domtrans(puppet_t)
> +')
> +
> +optional_policy(`
> + hostname_exec(puppet_t)
> +')
> +
> +optional_policy(`
> + files_rw_var_files(puppet_t)
> + files_var_lib_filetrans(puppet_t, var_lib_t, dir)
> +
> + rpm_domtrans(puppet_t)
> + rpm_manage_db(puppet_t)
> + rpm_manage_log(puppet_t)
> +')
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> +optional_policy(`
> + usermanage_domtrans_groupadd(puppet_t)
> + usermanage_domtrans_useradd(puppet_t)
> +')
> +
> +
> +########################################
> +#
> +# Pupper master personal policy
> +#
> +
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:process { signal_perms getsched setsched };
> +allow puppetmaster_t self:socket create;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +
> +list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> +
> +manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
> +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
> +
> +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
> +
> +rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
> +
> +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
> +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
> +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
> +
> +corenet_sendrecv_puppet_server_packets(puppetmaster_t)
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +corenet_all_recvfrom_netlabel(puppetmaster_t)
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +
> +corenet_tcp_sendrecv_generic_if(puppetmaster_t)
> +corenet_tcp_sendrecv_generic_node(puppetmaster_t)
> +
> +corenet_tcp_bind_generic_node(puppetmaster_t)
> +
> +corecmd_exec_bin(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_search_var_lib(puppetmaster_t)
> +
> +dev_read_rand(puppetmaster_t)
> +dev_read_urand(puppetmaster_t)
> +
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +miscfiles_read_localization(puppetmaster_t)
> +
> +sysnet_dns_name_resolve(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t, system_r)
> +
> +optional_policy(`
> + hostname_exec(puppetmaster_t)
> +')
> +
> +optional_policy(`
> + files_read_usr_symlinks(puppetmaster_t)
> +
> + rpm_exec(puppetmaster_t)
> + rpm_read_db(puppetmaster_t)
> +')
> +
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..a5a3adb 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> ########################################
> ## <summary>
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index efe5277..1ff0596 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -688,6 +688,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + puppet_rw_tmp(initrc_t)
> +')
> +
> +optional_policy(`
> quota_manage_flags(initrc_t)
> ')
>
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8005fb6 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,7 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +optional_policy(`
> + puppet_rw_tmp(ldconfig_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150