Set of contrib repository changes.
Sven Vermeulen (12):
More .maildir fixes
Mark make.profile entry as portage_conf_t (v2)
Move mta call (coding style)
Changes to puppet domain
Allow rpc admin to run exportfs
Grant sys_admin capability to puppet
Puppet module helper scripts are puppet_var_lib_t
Support netlink_route_socket creation for puppet
Puppet initscript creates /run/puppet
Puppet runs statfs against selinuxfs
Allow qemu to create TCP sockets (VNC support)
Fix specification collision (hal and devicekit)
dovecot.te | 1 +
hal.fc | 3 ++-
mta.te | 1 +
portage.fc | 1 +
procmail.te | 1 +
puppet.te | 21 +++++++++++++++------
qemu.te | 2 ++
rpc.if | 2 ++
uwimap.te | 1 +
9 files changed, 26 insertions(+), 7 deletions(-)
--
1.7.8.6
A previous commit provided initial support for ~/.maildir as a mail home
directory. This patch further implements this by adding the necessary named
file transitions where one for "~/Maildir" already existed.
Signed-off-by: Sven Vermeulen <[email protected]>
---
dovecot.te | 1 +
mta.te | 1 +
procmail.te | 1 +
uwimap.te | 1 +
4 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/dovecot.te b/dovecot.te
index 73c8686..b0f48ea 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -191,6 +191,7 @@ optional_policy(`
mta_manage_spool(dovecot_t)
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
')
optional_policy(`
diff --git a/mta.te b/mta.te
index 8a14615..d77a86a 100644
--- a/mta.te
+++ b/mta.te
@@ -67,6 +67,7 @@ manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
+userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
diff --git a/procmail.te b/procmail.te
index 07d5c5a..ea25cb5 100644
--- a/procmail.te
+++ b/procmail.te
@@ -105,6 +105,7 @@ optional_policy(`
mta_read_queue(procmail_t)
mta_manage_mail_home_rw_content(procmail_t)
mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
')
optional_policy(`
diff --git a/uwimap.te b/uwimap.te
index 4e06a93..5d89b3f 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -91,6 +91,7 @@ optional_policy(`
mta_manage_spool(imapd_t)
mta_manage_mail_home_rw_content(imapd_t)
mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir")
')
optional_policy(`
--
1.7.8.6
Although the /etc/make.profile symlink is going to be removed in a matter of
time, it is currently still very much in use and should be marked as
portage_conf_t.
Fixed to use -l instead of -s in the file context.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/portage.fc b/portage.fc
index d044552..da4892c 100644
--- a/portage.fc
+++ b/portage.fc
@@ -1,5 +1,6 @@
/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/puppet.te b/puppet.te
index 8266be4..1113f10 100644
--- a/puppet.te
+++ b/puppet.te
@@ -317,6 +317,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(puppetmaster_t)
+')
+
+optional_policy(`
mysql_stream_connect(puppetmaster_t)
')
@@ -330,7 +334,3 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
-
-optional_policy(`
- mta_send_mail(puppetmaster_t)
-')
--
1.7.8.6
The provided changes are needed for a puppet (client) to properly start up
and/or get its facts straight (= information on the current system state).
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index 1113f10..f3f1c1f 100644
--- a/puppet.te
+++ b/puppet.te
@@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket nlmsg_write;
allow puppet_t self:tcp_socket { accept listen };
+allow puppet_t self:udp_socket create_socket_perms;
allow puppet_t puppet_etc_t:dir list_dir_perms;
allow puppet_t puppet_etc_t:file read_file_perms;
@@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
@@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
kernel_read_kernel_sysctls(puppet_t)
+kernel_read_net_sysctls(puppet_t)
+kernel_read_network_state(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
@@ -119,6 +123,7 @@ files_read_usr_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
+files_search_var_lib(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
@@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
+sysnet_use_ldap(puppet_t)
tunable_policy(`puppet_manage_all_files',`
files_manage_non_auth_files(puppet_t)
--
1.7.8.6
While gathering information, puppet invokes lspci, which requires the sys_admin
capability.
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index f3f1c1f..5a256e3 100644
--- a/puppet.te
+++ b/puppet.te
@@ -58,7 +58,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket nlmsg_write;
--
1.7.8.6
As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
these files. Another method would be to have the scripts marked bin_t, but as
these paths are depending on module names this does not seem feasible.
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index 5a256e3..f627825 100644
--- a/puppet.te
+++ b/puppet.te
@@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+can_exec(puppet_t, puppet_var_lib_t)
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index f627825..357a2f5 100644
--- a/puppet.te
+++ b/puppet.te
@@ -61,7 +61,7 @@ files_tmp_file(puppetmaster_tmp_t)
allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket nlmsg_write;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:tcp_socket { accept listen };
allow puppet_t self:udp_socket create_socket_perms;
--
1.7.8.6
Running exportfs gives a failure::
exportfs: /proc/fs/nfs/exports:2: unknown keyword
"uuid=98e15bcc:25161082:00000000:00000000"
A related denial::
Dec 19 14:42:24 hpl kernel: [21543.035535] type=1400 audit(1355924544.121:1506):
avc: denied { search } for pid=4139 comm="exportfs" name="/" dev="nfsd" ino=1
scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir
Granting fs_search_nfsd_t() provides what is needed to handle this properly.
Signed-off-by: Sven Vermeulen <[email protected]>
---
rpc.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rpc.if b/rpc.if
index 694e1e8..3bd6446 100644
--- a/rpc.if
+++ b/rpc.if
@@ -415,4 +415,6 @@ interface(`rpc_admin',`
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
+
+ fs_search_nfsd_fs($1)
')
--
1.7.8.6
As the target context of /run/puppet needs to be puppet_var_run_t, introduce an
init_daemon_run_dir call to support this.
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index 357a2f5..f836236 100644
--- a/puppet.te
+++ b/puppet.te
@@ -37,6 +37,7 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
+init_daemon_run_dir(puppet_var_run_t, "puppet")
type puppetca_t;
type puppetca_exec_t;
--
1.7.8.6
When dealing with SELinux information in puppet, puppet invokes binaries such as
getsebool and setsebool. These binaries run statfs against the selinuxfs mounts.
If the statfs returns failure, then these binaries return "SELinux is not
enabled" even though this is false.
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index f836236..4e45b07 100644
--- a/puppet.te
+++ b/puppet.te
@@ -127,6 +127,7 @@ files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
files_search_var_lib(puppet_t)
+selinux_get_fs_mount(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
--
1.7.8.6
To support binding to a VNC server (as well as GDB remote support), allow
qemu_t to create a tcp_socket.
Signed-off-by: Sven Vermeulen <[email protected]>
---
qemu.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 2e824eb..672acfb 100644
--- a/qemu.te
+++ b/qemu.te
@@ -28,6 +28,8 @@ role qemu_roles types qemu_t;
#
tunable_policy(`qemu_full_network',`
+ allow qemu_t self:tcp_socket create_stream_socket_perms;
+
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
--
1.7.8.6
In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
definition in HAL. So switching the definition in HAL to use the pm/ directory
itself and leave pm-utils for devicekit.
Signed-off-by: Sven Vermeulen <[email protected]>
---
hal.fc | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/hal.fc b/hal.fc
index 2899bad..a64b30e 100644
--- a/hal.fc
+++ b/hal.fc
@@ -22,6 +22,7 @@
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm -d gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm/(.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
--
1.7.8.6
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
> definition in HAL. So switching the definition in HAL to use the pm/ directory
> itself and leave pm-utils for devicekit.
I do not understand what you are trying to achieve here
In devicekit.fc its pm-utils(/.*)? and in hald its pm(/.*)? so there
should'nt be any collision
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> hal.fc | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/hal.fc b/hal.fc
> index 2899bad..a64b30e 100644
> --- a/hal.fc
> +++ b/hal.fc
> @@ -22,6 +22,7 @@
>
> /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
> -/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> +/var/run/pm -d gen_context(system_u:object_r:hald_var_run_t,s0)
> +/var/run/pm/(.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> To support binding to a VNC server (as well as GDB remote support), allow
> qemu_t to create a tcp_socket.
I added instead:
-allow virt_domain self:tcp_socket { accept listen };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
This was indeed an issue that was introduced when i removed
auth_use_nsswitch support
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> qemu.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 2e824eb..672acfb 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -28,6 +28,8 @@ role qemu_roles types qemu_t;
> #
>
> tunable_policy(`qemu_full_network',`
> + allow qemu_t self:tcp_socket create_stream_socket_perms;
> +
> corenet_udp_sendrecv_generic_if(qemu_t)
> corenet_udp_sendrecv_generic_node(qemu_t)
> corenet_udp_sendrecv_all_ports(qemu_t)
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> A previous commit provided initial support for ~/.maildir as a mail home
> directory. This patch further implements this by adding the necessary named
> file transitions where one for "~/Maildir" already existed.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dovecot.te | 1 +
> mta.te | 1 +
> procmail.te | 1 +
> uwimap.te | 1 +
> 4 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/dovecot.te b/dovecot.te
> index 73c8686..b0f48ea 100644
> --- a/dovecot.te
> +++ b/dovecot.te
> @@ -191,6 +191,7 @@ optional_policy(`
> mta_manage_spool(dovecot_t)
> mta_manage_mail_home_rw_content(dovecot_t)
> mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
> ')
>
> optional_policy(`
> diff --git a/mta.te b/mta.te
> index 8a14615..d77a86a 100644
> --- a/mta.te
> +++ b/mta.te
> @@ -67,6 +67,7 @@ manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
> +userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
>
> read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
>
> diff --git a/procmail.te b/procmail.te
> index 07d5c5a..ea25cb5 100644
> --- a/procmail.te
> +++ b/procmail.te
> @@ -105,6 +105,7 @@ optional_policy(`
> mta_read_queue(procmail_t)
> mta_manage_mail_home_rw_content(procmail_t)
> mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
> ')
>
> optional_policy(`
> diff --git a/uwimap.te b/uwimap.te
> index 4e06a93..5d89b3f 100644
> --- a/uwimap.te
> +++ b/uwimap.te
> @@ -91,6 +91,7 @@ optional_policy(`
> mta_manage_spool(imapd_t)
> mta_manage_mail_home_rw_content(imapd_t)
> mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir")
> ')
>
> optional_policy(`
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Although the /etc/make.profile symlink is going to be removed in a matter of
> time, it is currently still very much in use and should be marked as
> portage_conf_t.
>
I would probably have left it etc_t but i have no problem with this
solution either, this was merged, thanks
> Fixed to use -l instead of -s in the file context.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.fc | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/portage.fc b/portage.fc
> index d044552..da4892c 100644
> --- a/portage.fc
> +++ b/portage.fc
> @@ -1,5 +1,6 @@
> /etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
> +/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
>
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
This was merged, thanks
> ---
> puppet.te | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 8266be4..1113f10 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -317,6 +317,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mta_send_mail(puppetmaster_t)
> +')
> +
> +optional_policy(`
> mysql_stream_connect(puppetmaster_t)
> ')
>
> @@ -330,7 +334,3 @@ optional_policy(`
> rpm_exec(puppetmaster_t)
> rpm_read_db(puppetmaster_t)
> ')
> -
> -optional_policy(`
> - mta_send_mail(puppetmaster_t)
> -')
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> The provided changes are needed for a puppet (client) to properly start up
> and/or get its facts straight (= information on the current system state).
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> puppet.te | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 1113f10..f3f1c1f 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t)
> # Local policy
> #
>
> -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket nlmsg_write;
> allow puppet_t self:tcp_socket { accept listen };
> +allow puppet_t self:udp_socket create_socket_perms;
>
> allow puppet_t puppet_etc_t:dir list_dir_perms;
> allow puppet_t puppet_etc_t:file read_file_perms;
> @@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
> allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
> append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
>
> @@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t)
> kernel_read_system_state(puppet_t)
> kernel_read_crypto_sysctls(puppet_t)
> kernel_read_kernel_sysctls(puppet_t)
> +kernel_read_net_sysctls(puppet_t)
> +kernel_read_network_state(puppet_t)
>
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
> @@ -119,6 +123,7 @@ files_read_usr_files(puppet_t)
> files_read_usr_symlinks(puppet_t)
> files_relabel_config_dirs(puppet_t)
> files_relabel_config_files(puppet_t)
> +files_search_var_lib(puppet_t)
>
> selinux_search_fs(puppet_t)
> selinux_set_all_booleans(puppet_t)
> @@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t)
> seutil_domtrans_semanage(puppet_t)
>
> sysnet_run_ifconfig(puppet_t, system_r)
> +sysnet_use_ldap(puppet_t)
>
> tunable_policy(`puppet_manage_all_files',`
> files_manage_non_auth_files(puppet_t)
On Tue, Jan 01, 2013 at 11:33:31AM +0100, grift wrote:
> On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> > In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
> > definition in HAL. So switching the definition in HAL to use the pm/ directory
> > itself and leave pm-utils for devicekit.
>
> I do not understand what you are trying to achieve here
>
> In devicekit.fc its pm-utils(/.*)? and in hald its pm(/.*)? so there
> should'nt be any collision
Hmm, you're right. Weird, I could've sworn we had a collision on a test
system here, but I didn't register the problem much further in our
bugtracking.
I'll revert it locally as well.
Wkr,
Sven Vermeulen
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Running exportfs gives a failure::
>
> exportfs: /proc/fs/nfs/exports:2: unknown keyword
> "uuid=98e15bcc:25161082:00000000:00000000"
>
> A related denial::
>
> Dec 19 14:42:24 hpl kernel: [21543.035535] type=1400 audit(1355924544.121:1506):
> avc: denied { search } for pid=4139 comm="exportfs" name="/" dev="nfsd" ino=1
> scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:nfsd_fs_t
> tclass=dir
>
> Granting fs_search_nfsd_t() provides what is needed to handle this properly.
>
This should probably just go into the sysadm policy instead of this
interface
you probably should not test these interfaces with sysadm because sysadm
already have a lot of privileges so chances are that this will not work
or be enough with for example a nfsadm_r role
I merged it nevertheless but please keep that in mind next time, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> rpc.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/rpc.if b/rpc.if
> index 694e1e8..3bd6446 100644
> --- a/rpc.if
> +++ b/rpc.if
> @@ -415,4 +415,6 @@ interface(`rpc_admin',`
>
> files_list_tmp($1)
> admin_pattern($1, gssd_tmp_t)
> +
> + fs_search_nfsd_fs($1)
> ')
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> While gathering information, puppet invokes lspci, which requires the sys_admin
> capability.
>
I gather that puppet loses functionality if this permission is
dontaudited?
sys_admin is a very broad capability
This was merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> puppet.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index f3f1c1f..5a256e3 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -58,7 +58,7 @@ files_tmp_file(puppetmaster_tmp_t)
> # Local policy
> #
>
> -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket nlmsg_write;
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
> these files. Another method would be to have the scripts marked bin_t, but as
> these paths are depending on module names this does not seem feasible.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> puppet.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 5a256e3..f627825 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
>
> manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> +can_exec(puppet_t, puppet_var_lib_t)
>
> setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
This was merged, thanks
> ---
> puppet.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index f627825..357a2f5 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -61,7 +61,7 @@ files_tmp_file(puppetmaster_tmp_t)
> allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> -allow puppet_t self:netlink_route_socket nlmsg_write;
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppet_t self:tcp_socket { accept listen };
> allow puppet_t self:udp_socket create_socket_perms;
>
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> As the target context of /run/puppet needs to be puppet_var_run_t, introduce an
> init_daemon_run_dir call to support this.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> puppet.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 357a2f5..f836236 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -37,6 +37,7 @@ files_type(puppet_var_lib_t)
>
> type puppet_var_run_t;
> files_pid_file(puppet_var_run_t)
> +init_daemon_run_dir(puppet_var_run_t, "puppet")
>
> type puppetca_t;
> type puppetca_exec_t;
On Tue, Jan 1, 2013 at 11:47 AM, grift <[email protected]> wrote:
> On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> > While gathering information, puppet invokes lspci, which requires the
> sys_admin
> > capability.
> >
>
> I gather that puppet loses functionality if this permission is
> dontaudited?
>
> sys_admin is a very broad capability
Yes; it is needed to gather the facts (configuration settings puppet
receives from a system and uses to build its decisions on) of the system.
Puppet is a system administration tool so it makes sense that it needs this
privilege. It prob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130101/169bcf2a/attachment.html