Attached is a new version of a patch adding support for Puppet. The
patch addresses most of the specific comments from Dominick Grift and
some additional modifications.
To provide some context for the patch, which I obviously failed to do
last week, earlier this year I started looking into using configuration
management systems to manage SELinux clients. As far as I could tell
everyone managing SELinux clients with Puppet are doing so with the
client and server services running unconfined. It seemed a bit strange
that one would manage the configuration of clients, especially SELinux's
configuration, using unconfined services. The patch is an attempt to
provide an alternative.
Running puppetmaster in it's own domain is fairly simple as it needs to
read configuration files, manage some state, and communicate with
clients. Puppet's client was a bit more difficult, one option was to
run the client unconfined due to the amount of privilege required to
manage a system's configuration (add/remove packages, add/remove users,
update configuration files, restart services, etc), and the other was to
make an attempt to run the client in a separate domain with a broad but
not complete set of privileges. The client policy in the patch does a
bit of both by confining puppet to its own domain and optionally calling
unconfined_domain at the end.
The majority of testing was performed with the unconfined module not
loaded, so my expectation is that puppet should work normally whether
confined or not.
Here's a short summary of the files modified in the patch with a
one-liner about changes:
services/puppet.* - new policy for Puppet client daemon
services/puppetmaster.* - new policy for Puppet server daemon
system/libraries.te, admin/usermanage.te - allows redirection of
standard output from ldconfig / groupadd to Puppet temp files.
system/init.if - new interface allowing transition to init script domain
for all labeled init script types (lets Puppet restart system services
in the proper domains)
kernel/corenetwork.te.in - adds puppet network port
If additional changes are desired or the patch should be broken up, let
me know and I will make them.
--
Craig Grube
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: puppet.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/3c31ff56/attachment.ksh
On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
> Attached is a new version of a patch adding support for Puppet. The
> patch addresses most of the specific comments from Dominick Grift and
> some additional modifications.
>
> To provide some context for the patch, which I obviously failed to do
> last week, earlier this year I started looking into using configuration
> management systems to manage SELinux clients. As far as I could tell
> everyone managing SELinux clients with Puppet are doing so with the
> client and server services running unconfined. It seemed a bit strange
> that one would manage the configuration of clients, especially SELinux's
> configuration, using unconfined services. The patch is an attempt to
> provide an alternative.
>
> Running puppetmaster in it's own domain is fairly simple as it needs to
> read configuration files, manage some state, and communicate with
> clients. Puppet's client was a bit more difficult, one option was to
> run the client unconfined due to the amount of privilege required to
> manage a system's configuration (add/remove packages, add/remove users,
> update configuration files, restart services, etc), and the other was to
> make an attempt to run the client in a separate domain with a broad but
> not complete set of privileges. The client policy in the patch does a
> bit of both by confining puppet to its own domain and optionally calling
> unconfined_domain at the end.
>
> The majority of testing was performed with the unconfined module not
> loaded, so my expectation is that puppet should work normally whether
> confined or not.
>
> Here's a short summary of the files modified in the patch with a
> one-liner about changes:
>
> services/puppet.* - new policy for Puppet client daemon
>
> services/puppetmaster.* - new policy for Puppet server daemon
>
> system/libraries.te, admin/usermanage.te - allows redirection of
> standard output from ldconfig / groupadd to Puppet temp files.
>
> system/init.if - new interface allowing transition to init script domain
> for all labeled init script types (lets Puppet restart system services
> in the proper domains)
>
> kernel/corenetwork.te.in - adds puppet network port
>
> If additional changes are desired or the patch should be broken up, let
> me know and I will make them.
>
> --
> Craig Grube
>
> >From 131052bb6e402a2f446bd2a7a305cb1e6fd6f98b Mon Sep 17 00:00:00 2001
> From: Craig Grube <[email protected]>
> Date: Wed, 2 Sep 2009 16:27:16 -0400
> Subject: [PATCH 1/1] initial version of puppet CMS policy
>
>
> Signed-off-by: Craig Grube <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 4 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/puppet.fc | 9 ++
> policy/modules/services/puppet.if | 96 +++++++++++++++++++++++
> policy/modules/services/puppet.te | 126 +++++++++++++++++++++++++++++++
> policy/modules/services/puppetmaster.fc | 4 +
> policy/modules/services/puppetmaster.if | 1 +
> policy/modules/services/puppetmaster.te | 73 ++++++++++++++++++
> policy/modules/system/init.if | 20 +++++
> policy/modules/system/libraries.te | 5 +
> 10 files changed, 339 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
> create mode 100644 policy/modules/services/puppetmaster.fc
> create mode 100644 policy/modules/services/puppetmaster.if
> create mode 100644 policy/modules/services/puppetmaster.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..4a73384 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_write_puppet_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 9d100fe..3fa5007 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -155,6 +155,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..0c4b70e
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,9 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
> +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t,s0)
You have to escape the dots else it will not work:
/etc/rc\.d/init\.d/puppet
> +/usr/bin/filebucket -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/puppet(.*)? -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/ralsh -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..dccf64a
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,96 @@
> +## <summary>Puppet client daemon</summary>
Enter a short description about puppet below summary
## <desc>
## <p>
## Puppet is...
## </p>
## </desc>
> +
> +################################################
> +## <summary>
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +################################################
> +interface(`puppet_write_puppet_tmp',`
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> + allow $1 puppet_tmp_t:file rw_file_perms;
> +')
This needs files_search_tmp($1)
You need to search /tmp to be able to find puppet_tmp_t files
> +
> +###############################################
> +## <summary>
> +## Don't audit attempts to use puppet file
> +## descriptors. This pops up when puppet
> +## runs command line tools and redirects
> +## the output to /dev/null.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not be audited
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_dontaudit_fd_use',`
> + gen_require(`
> + type puppet_t;
> + ')
> + dontaudit $1 puppet_t:fd use;
> +')
> +
> +###############################################
> +## <summary>
> +## Read puppet configuration files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_read_puppet_config',`
> + gen_require(`
> + type puppet_etc_t;
> + ')
> + read_files_pattern($1, puppet_etc_t, puppet_etc_t)
> + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
> +')
> +
> +
> +##############################################
> +## <summary>
> +## Manage various types of puppet related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##############################################
> +interface(`puppet_manage_puppet_files',`
> + gen_require(`
> + type puppet_var_lib_t;
> + type puppet_var_run_t;
> + type puppet_log_t;
> + type puppet_tmp_t;
> + ')
> +
> + manage_dirs_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> + manage_files_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> +
> + manage_dirs_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + manage_files_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + files_pid_filetrans($1,puppet_var_run_t, { file dir })
> +
> + manage_dirs_pattern($1,puppet_log_t, puppet_log_t)
> + manage_files_pattern($1,puppet_log_t, puppet_log_t)
> + logging_log_filetrans($1,puppet_log_t, { file dir })
> +
> + manage_dirs_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + manage_files_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + files_tmp_filetrans($1, puppet_tmp_t, { file dir })
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..cd3fe5e
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,126 @@
> +
> +policy_module(puppet,0.0.1)
> +
> +#####################################################
> +## Declarations
> +#
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t,puppet_exec_t)
> +
> +type puppetd_initrc_exec_t;
> +init_script_file(puppetd_initrc_exec_t);
> +
> +type puppet_bin_t;
> +application_executable_file(puppet_bin_t)
I cannot find any transition rules for this. Why not leave this bin_t?
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +############################################################
> +# Puppet Client Local Policy
> +
> +puppet_read_puppet_config(puppet_t)
> +puppet_manage_puppet_files(puppet_t)
> +
> +## stop/start all services
> +init_domtrans_script(puppet_t)
> +init_all_labeled_script_domtrans(puppet_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppet_t)
> +
> +## allow client to bind and send data on high ports
Where you do you allow it to bind to high ports?
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +corenet_tcp_sendrecv_all_ports(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +
> +miscfiles_read_localization(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_list_tmp(puppet_t)
> +dev_read_urand(puppet_t)
> +dev_read_rand(puppet_t)
> +
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +
> +## send signull to init scripts
> +init_signull_script(puppet_t)
> +
> +## connect to puppet port (on server)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corecmd_exec_shell(puppet_t)
> +hostname_exec(puppet_t)
> +usermanage_domtrans_groupadd(puppet_t)
> +usermanage_domtrans_useradd(puppet_t)
> +sysnet_run_ifconfig(puppet_t,system_r)
> +sysnet_dns_name_resolve(puppet_t)
> +
> +## set selinux booleans
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +seutil_domtrans_setfiles(puppet_t)
> +selinux_getattr_fs(puppet_t)
> +selinux_search_fs(puppet_t)
> +corecmd_bin_entry_type(puppet_t)
> +
> +## manage file contexts
> +seutil_manage_file_contexts(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +## load/manage selinux policy
> +seutil_domtrans_semanage(puppet_t)
> +
> +## read/write in the selinux policy directory
> +seutil_manage_default_contexts(puppet_t)
> +
> +# lspci
> +dev_read_sysfs(puppet_t)
> +miscfiles_read_hwdata(puppet_t)
> +
> +# uptime
> +init_read_utmp(puppet_t)
> +
> +# rpm/yum
> +rpm_domtrans(puppet_t)
> +
> +## ps
> +domain_read_all_domains_state(puppet_t)
> +
> +## squash AVS when puppet redirects tools stdout to /dev/null
> +puppet_dontaudit_fd_use(domain)
> +
> +## execute consoletype in consoletype domain
> +consoletype_domtrans(puppet_t)
> +
> +## puppet needs to be able to manage arbitrary file types
> +auth_manage_all_files_except_shadow(puppet_t)
> +auth_relabel_all_files_except_shadow(puppet_t)
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> diff --git a/policy/modules/services/puppetmaster.fc b/policy/modules/services/puppetmaster.fc
> new file mode 100644
> index 0000000..aba5af6
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.fc
> @@ -0,0 +1,4 @@
> +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t,s0)
escape the dots: see above
> +/usr/bin/puppetrun -- gen_context(system_u:object_r:puppetmaster_bin_t,s0)
> +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetmaster_sbin_t,s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> diff --git a/policy/modules/services/puppetmaster.if b/policy/modules/services/puppetmaster.if
> new file mode 100644
> index 0000000..b40b1bf
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.if
> @@ -0,0 +1 @@
> +## <summary>Puppetmaster daemon</summary>
> diff --git a/policy/modules/services/puppetmaster.te b/policy/modules/services/puppetmaster.te
> new file mode 100644
> index 0000000..96186ab
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.te
> @@ -0,0 +1,73 @@
> +
> +policy_module(puppetmaster,0.0.1)
> +
> +####################################################
> +## Declarations
> +##
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t,puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_bin_t;
> +application_executable_file(puppetmaster_bin_t)
> +
> +type puppetmaster_sbin_t;
> +application_executable_file(puppetmaster_sbin_t)
why not leave this bin_t?
> +
> +##################################################
> +## Puppetmaster local policy
> +
> +puppet_read_puppet_config(puppetmaster_t)
> +puppet_manage_puppet_files(puppetmaster_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +## basic networking
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +corenet_tcp_sendrecv_all_ports(puppetmaster_t)
> +corenet_tcp_bind_all_nodes(puppetmaster_t)
> +corenet_udp_bind_generic_port(puppetmaster_t)
why should it be able to bind to any generic port?
and why cant it udp bind to all nodes?
> +
> +# bind to puppet port
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +# read/exec normal binaries
> +corecmd_exec_bin(puppetmaster_t)
> +
> +# read stuff in proc
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +# ps
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +## read locale files
> +miscfiles_read_localization(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_list_tmp(puppetmaster_t)
> +
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +allow puppetmaster_t self:process { signull signal getsched setsched };
> +allow puppetmaster_t self:socket create;
> +
> +## needed for ssl certificate use
> +dev_read_urand(puppetmaster_t)
> +dev_read_rand(puppetmaster_t)
> +
> +hostname_exec(puppetmaster_t)
> +sysnet_dns_name_resolve(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t,system_r)
> +
> +## rpm /yum
> +rpm_read_db(puppetmaster_t)
> +rpm_domtrans(puppetmaster_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
> ########################################
> ## <summary>
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +
> +optional_policy(`
> + puppet_write_puppet_tmp(ldconfig_t)
> +')
> --
> 1.6.2.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/62194e3c/attachment-0001.bin
On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
also puppet and puppetmaster policy modules should be merged
if you enclose both puppet and puppetmaster policy module then i will edit it to reflect my vision of how it should look. Its a bit hard to di from just the patches.
> Attached is a new version of a patch adding support for Puppet. The
> patch addresses most of the specific comments from Dominick Grift and
> some additional modifications.
>
> To provide some context for the patch, which I obviously failed to do
> last week, earlier this year I started looking into using configuration
> management systems to manage SELinux clients. As far as I could tell
> everyone managing SELinux clients with Puppet are doing so with the
> client and server services running unconfined. It seemed a bit strange
> that one would manage the configuration of clients, especially SELinux's
> configuration, using unconfined services. The patch is an attempt to
> provide an alternative.
>
> Running puppetmaster in it's own domain is fairly simple as it needs to
> read configuration files, manage some state, and communicate with
> clients. Puppet's client was a bit more difficult, one option was to
> run the client unconfined due to the amount of privilege required to
> manage a system's configuration (add/remove packages, add/remove users,
> update configuration files, restart services, etc), and the other was to
> make an attempt to run the client in a separate domain with a broad but
> not complete set of privileges. The client policy in the patch does a
> bit of both by confining puppet to its own domain and optionally calling
> unconfined_domain at the end.
>
> The majority of testing was performed with the unconfined module not
> loaded, so my expectation is that puppet should work normally whether
> confined or not.
>
> Here's a short summary of the files modified in the patch with a
> one-liner about changes:
>
> services/puppet.* - new policy for Puppet client daemon
>
> services/puppetmaster.* - new policy for Puppet server daemon
>
> system/libraries.te, admin/usermanage.te - allows redirection of
> standard output from ldconfig / groupadd to Puppet temp files.
>
> system/init.if - new interface allowing transition to init script domain
> for all labeled init script types (lets Puppet restart system services
> in the proper domains)
>
> kernel/corenetwork.te.in - adds puppet network port
>
> If additional changes are desired or the patch should be broken up, let
> me know and I will make them.
>
> --
> Craig Grube
>
> >From 131052bb6e402a2f446bd2a7a305cb1e6fd6f98b Mon Sep 17 00:00:00 2001
> From: Craig Grube <[email protected]>
> Date: Wed, 2 Sep 2009 16:27:16 -0400
> Subject: [PATCH 1/1] initial version of puppet CMS policy
>
>
> Signed-off-by: Craig Grube <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 4 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/puppet.fc | 9 ++
> policy/modules/services/puppet.if | 96 +++++++++++++++++++++++
> policy/modules/services/puppet.te | 126 +++++++++++++++++++++++++++++++
> policy/modules/services/puppetmaster.fc | 4 +
> policy/modules/services/puppetmaster.if | 1 +
> policy/modules/services/puppetmaster.te | 73 ++++++++++++++++++
> policy/modules/system/init.if | 20 +++++
> policy/modules/system/libraries.te | 5 +
> 10 files changed, 339 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
> create mode 100644 policy/modules/services/puppetmaster.fc
> create mode 100644 policy/modules/services/puppetmaster.if
> create mode 100644 policy/modules/services/puppetmaster.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..4a73384 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_write_puppet_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 9d100fe..3fa5007 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -155,6 +155,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..0c4b70e
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,9 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
> +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t,s0)
> +/usr/bin/filebucket -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/puppet(.*)? -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/ralsh -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..dccf64a
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,96 @@
> +## <summary>Puppet client daemon</summary>
> +
> +################################################
> +## <summary>
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +################################################
> +interface(`puppet_write_puppet_tmp',`
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> + allow $1 puppet_tmp_t:file rw_file_perms;
> +')
> +
> +###############################################
> +## <summary>
> +## Don't audit attempts to use puppet file
> +## descriptors. This pops up when puppet
> +## runs command line tools and redirects
> +## the output to /dev/null.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not be audited
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_dontaudit_fd_use',`
> + gen_require(`
> + type puppet_t;
> + ')
> + dontaudit $1 puppet_t:fd use;
> +')
> +
> +###############################################
> +## <summary>
> +## Read puppet configuration files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_read_puppet_config',`
> + gen_require(`
> + type puppet_etc_t;
> + ')
> + read_files_pattern($1, puppet_etc_t, puppet_etc_t)
> + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
> +')
> +
> +
> +##############################################
> +## <summary>
> +## Manage various types of puppet related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##############################################
> +interface(`puppet_manage_puppet_files',`
> + gen_require(`
> + type puppet_var_lib_t;
> + type puppet_var_run_t;
> + type puppet_log_t;
> + type puppet_tmp_t;
> + ')
> +
> + manage_dirs_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> + manage_files_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> +
> + manage_dirs_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + manage_files_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + files_pid_filetrans($1,puppet_var_run_t, { file dir })
> +
> + manage_dirs_pattern($1,puppet_log_t, puppet_log_t)
> + manage_files_pattern($1,puppet_log_t, puppet_log_t)
> + logging_log_filetrans($1,puppet_log_t, { file dir })
> +
> + manage_dirs_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + manage_files_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + files_tmp_filetrans($1, puppet_tmp_t, { file dir })
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..cd3fe5e
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,126 @@
> +
> +policy_module(puppet,0.0.1)
> +
> +#####################################################
> +## Declarations
> +#
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t,puppet_exec_t)
> +
> +type puppetd_initrc_exec_t;
> +init_script_file(puppetd_initrc_exec_t);
> +
> +type puppet_bin_t;
> +application_executable_file(puppet_bin_t)
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +############################################################
> +# Puppet Client Local Policy
> +
> +puppet_read_puppet_config(puppet_t)
> +puppet_manage_puppet_files(puppet_t)
> +
> +## stop/start all services
> +init_domtrans_script(puppet_t)
> +init_all_labeled_script_domtrans(puppet_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppet_t)
> +
> +## allow client to bind and send data on high ports
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +corenet_tcp_sendrecv_all_ports(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +
> +miscfiles_read_localization(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_list_tmp(puppet_t)
> +dev_read_urand(puppet_t)
> +dev_read_rand(puppet_t)
> +
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +
> +## send signull to init scripts
> +init_signull_script(puppet_t)
> +
> +## connect to puppet port (on server)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corecmd_exec_shell(puppet_t)
> +hostname_exec(puppet_t)
> +usermanage_domtrans_groupadd(puppet_t)
> +usermanage_domtrans_useradd(puppet_t)
> +sysnet_run_ifconfig(puppet_t,system_r)
> +sysnet_dns_name_resolve(puppet_t)
> +
> +## set selinux booleans
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +seutil_domtrans_setfiles(puppet_t)
> +selinux_getattr_fs(puppet_t)
> +selinux_search_fs(puppet_t)
> +corecmd_bin_entry_type(puppet_t)
> +
> +## manage file contexts
> +seutil_manage_file_contexts(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +## load/manage selinux policy
> +seutil_domtrans_semanage(puppet_t)
> +
> +## read/write in the selinux policy directory
> +seutil_manage_default_contexts(puppet_t)
> +
> +# lspci
> +dev_read_sysfs(puppet_t)
> +miscfiles_read_hwdata(puppet_t)
> +
> +# uptime
> +init_read_utmp(puppet_t)
> +
> +# rpm/yum
> +rpm_domtrans(puppet_t)
> +
> +## ps
> +domain_read_all_domains_state(puppet_t)
> +
> +## squash AVS when puppet redirects tools stdout to /dev/null
> +puppet_dontaudit_fd_use(domain)
> +
> +## execute consoletype in consoletype domain
> +consoletype_domtrans(puppet_t)
> +
> +## puppet needs to be able to manage arbitrary file types
> +auth_manage_all_files_except_shadow(puppet_t)
> +auth_relabel_all_files_except_shadow(puppet_t)
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> diff --git a/policy/modules/services/puppetmaster.fc b/policy/modules/services/puppetmaster.fc
> new file mode 100644
> index 0000000..aba5af6
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.fc
> @@ -0,0 +1,4 @@
> +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t,s0)
> +/usr/bin/puppetrun -- gen_context(system_u:object_r:puppetmaster_bin_t,s0)
> +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetmaster_sbin_t,s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> diff --git a/policy/modules/services/puppetmaster.if b/policy/modules/services/puppetmaster.if
> new file mode 100644
> index 0000000..b40b1bf
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.if
> @@ -0,0 +1 @@
> +## <summary>Puppetmaster daemon</summary>
> diff --git a/policy/modules/services/puppetmaster.te b/policy/modules/services/puppetmaster.te
> new file mode 100644
> index 0000000..96186ab
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.te
> @@ -0,0 +1,73 @@
> +
> +policy_module(puppetmaster,0.0.1)
> +
> +####################################################
> +## Declarations
> +##
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t,puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_bin_t;
> +application_executable_file(puppetmaster_bin_t)
> +
> +type puppetmaster_sbin_t;
> +application_executable_file(puppetmaster_sbin_t)
> +
> +##################################################
> +## Puppetmaster local policy
> +
> +puppet_read_puppet_config(puppetmaster_t)
> +puppet_manage_puppet_files(puppetmaster_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +## basic networking
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +corenet_tcp_sendrecv_all_ports(puppetmaster_t)
> +corenet_tcp_bind_all_nodes(puppetmaster_t)
> +corenet_udp_bind_generic_port(puppetmaster_t)
> +
> +# bind to puppet port
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +# read/exec normal binaries
> +corecmd_exec_bin(puppetmaster_t)
> +
> +# read stuff in proc
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +# ps
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +## read locale files
> +miscfiles_read_localization(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_list_tmp(puppetmaster_t)
> +
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +allow puppetmaster_t self:process { signull signal getsched setsched };
> +allow puppetmaster_t self:socket create;
> +
> +## needed for ssl certificate use
> +dev_read_urand(puppetmaster_t)
> +dev_read_rand(puppetmaster_t)
> +
> +hostname_exec(puppetmaster_t)
> +sysnet_dns_name_resolve(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t,system_r)
> +
> +## rpm /yum
> +rpm_read_db(puppetmaster_t)
> +rpm_domtrans(puppetmaster_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
> ########################################
> ## <summary>
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +
> +optional_policy(`
> + puppet_write_puppet_tmp(ldconfig_t)
> +')
> --
> 1.6.2.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/a8c832a0/attachment.bin
On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
Here is my take on policy. I removed some unclear stuff, if really required you will see when tested.
Untested...`
policy_module(puppet, 0.0.1)
########################################
#
# Puppet personal declarations
#
type puppet_t;
type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t)
type puppet_initrc_exec_t;
init_script_file(puppet_initrc_exec_t);
type puppet_log_t;
logging_log_file(puppet_log_t)
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
type puppet_etc_t;
files_config_file(puppet_etc_t)
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
########################################
#
# Pupper master personal declarations
#
type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
type puppetmasterd_initrc_exec_t;
init_script_file(puppetmasterd_initrc_exec_t)
########################################
#
# Puppet personal policy
#
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:udp_socket create_socket_perms;
allow puppet_t self:tcp_socket create_stream_socket_perms;
list_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
create_dirs_pattern(puppet_t, puppet_log_t, puppet_log_t)
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
auth_manage_all_files_except_shadow(puppet_t)
auth_relabel_all_files_except_shadow(puppet_t)
corenet_sendrecv_puppet_client_packets(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t)
corenet_all_recvfrom_netlabel(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_all_if(puppet_t)
corenet_tcp_sendrecv_all_nodes(puppet_t)
corenet_tcp_bind_all_nodes(puppet_t)
consoletype_domtrans(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t)
dev_read_urand(puppet_t)
domain_read_all_domains_state(puppet_t)
files_read_etc_files(puppet_t)
hostname_exec(puppet_t)
init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
# why dontaudit
kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
logging_send_syslog_msg(puppet_t)
miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)
selinux_getattr_fs(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
seutil_domtrans_semanage(puppet_t)
seutil_manage_default_contexts(puppet_t)
seutil_manage_file_contexts(puppet_t)
sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
usermanage_domtrans_groupadd(puppet_t)
usermanage_domtrans_useradd(puppet_t)
optional_policy(`
rpm_domtrans(puppet_t)
')
optional_policy(`
unconfined_domain(puppet_t)
')
########################################
#
# Pupper master personal policy
#
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
allow puppetmaster_t self:udp_socket create_socket_perms;
allow puppetmaster_t self:process signal_perms;
allow puppetmaster_t self:socket create;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
search_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
rw_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
search_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
rw_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
search_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
search_dirs_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
rw_files_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_all_if(puppetmaster_t)
corenet_tcp_sendrecv_all_nodes(puppetmaster_t)
corenet_tcp_bind_all_nodes(puppetmaster_t)
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
files_read_etc_files(puppetmaster_t)
dev_read_urand(puppetmaster_t)
dev_read_rand(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
hostname_exec(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
optional_policy(`
rpm_domtrans(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
## <summary>Puppet client daemon</summary>
## <desc>
## <p>
## Puppet is a configuration management system written in Ruby.
## The client daemon is responsible for periodically requesting the ## desired system state from the server and ensuring the state of ## the client system matches. ## </p>
## </desc>
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp
## files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
##
interface(`puppet_write_puppet_tmp', `
gen_require(`
type puppet_tmp_t;
')
allow $1 puppet_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
> Attached is a new version of a patch adding support for Puppet. The
> patch addresses most of the specific comments from Dominick Grift and
> some additional modifications.
>
> To provide some context for the patch, which I obviously failed to do
> last week, earlier this year I started looking into using configuration
> management systems to manage SELinux clients. As far as I could tell
> everyone managing SELinux clients with Puppet are doing so with the
> client and server services running unconfined. It seemed a bit strange
> that one would manage the configuration of clients, especially SELinux's
> configuration, using unconfined services. The patch is an attempt to
> provide an alternative.
>
> Running puppetmaster in it's own domain is fairly simple as it needs to
> read configuration files, manage some state, and communicate with
> clients. Puppet's client was a bit more difficult, one option was to
> run the client unconfined due to the amount of privilege required to
> manage a system's configuration (add/remove packages, add/remove users,
> update configuration files, restart services, etc), and the other was to
> make an attempt to run the client in a separate domain with a broad but
> not complete set of privileges. The client policy in the patch does a
> bit of both by confining puppet to its own domain and optionally calling
> unconfined_domain at the end.
>
> The majority of testing was performed with the unconfined module not
> loaded, so my expectation is that puppet should work normally whether
> confined or not.
>
> Here's a short summary of the files modified in the patch with a
> one-liner about changes:
>
> services/puppet.* - new policy for Puppet client daemon
>
> services/puppetmaster.* - new policy for Puppet server daemon
>
> system/libraries.te, admin/usermanage.te - allows redirection of
> standard output from ldconfig / groupadd to Puppet temp files.
>
> system/init.if - new interface allowing transition to init script domain
> for all labeled init script types (lets Puppet restart system services
> in the proper domains)
>
> kernel/corenetwork.te.in - adds puppet network port
>
> If additional changes are desired or the patch should be broken up, let
> me know and I will make them.
>
> --
> Craig Grube
>
> >From 131052bb6e402a2f446bd2a7a305cb1e6fd6f98b Mon Sep 17 00:00:00 2001
> From: Craig Grube <[email protected]>
> Date: Wed, 2 Sep 2009 16:27:16 -0400
> Subject: [PATCH 1/1] initial version of puppet CMS policy
>
>
> Signed-off-by: Craig Grube <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 4 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/puppet.fc | 9 ++
> policy/modules/services/puppet.if | 96 +++++++++++++++++++++++
> policy/modules/services/puppet.te | 126 +++++++++++++++++++++++++++++++
> policy/modules/services/puppetmaster.fc | 4 +
> policy/modules/services/puppetmaster.if | 1 +
> policy/modules/services/puppetmaster.te | 73 ++++++++++++++++++
> policy/modules/system/init.if | 20 +++++
> policy/modules/system/libraries.te | 5 +
> 10 files changed, 339 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
> create mode 100644 policy/modules/services/puppetmaster.fc
> create mode 100644 policy/modules/services/puppetmaster.if
> create mode 100644 policy/modules/services/puppetmaster.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..4a73384 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_write_puppet_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 9d100fe..3fa5007 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -155,6 +155,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..0c4b70e
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,9 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
> +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t,s0)
> +/usr/bin/filebucket -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/puppet(.*)? -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/ralsh -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..dccf64a
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,96 @@
> +## <summary>Puppet client daemon</summary>
> +
> +################################################
> +## <summary>
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +################################################
> +interface(`puppet_write_puppet_tmp',`
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> + allow $1 puppet_tmp_t:file rw_file_perms;
> +')
> +
> +###############################################
> +## <summary>
> +## Don't audit attempts to use puppet file
> +## descriptors. This pops up when puppet
> +## runs command line tools and redirects
> +## the output to /dev/null.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not be audited
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_dontaudit_fd_use',`
> + gen_require(`
> + type puppet_t;
> + ')
> + dontaudit $1 puppet_t:fd use;
> +')
> +
> +###############################################
> +## <summary>
> +## Read puppet configuration files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_read_puppet_config',`
> + gen_require(`
> + type puppet_etc_t;
> + ')
> + read_files_pattern($1, puppet_etc_t, puppet_etc_t)
> + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
> +')
> +
> +
> +##############################################
> +## <summary>
> +## Manage various types of puppet related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##############################################
> +interface(`puppet_manage_puppet_files',`
> + gen_require(`
> + type puppet_var_lib_t;
> + type puppet_var_run_t;
> + type puppet_log_t;
> + type puppet_tmp_t;
> + ')
> +
> + manage_dirs_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> + manage_files_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> +
> + manage_dirs_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + manage_files_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + files_pid_filetrans($1,puppet_var_run_t, { file dir })
> +
> + manage_dirs_pattern($1,puppet_log_t, puppet_log_t)
> + manage_files_pattern($1,puppet_log_t, puppet_log_t)
> + logging_log_filetrans($1,puppet_log_t, { file dir })
> +
> + manage_dirs_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + manage_files_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + files_tmp_filetrans($1, puppet_tmp_t, { file dir })
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..cd3fe5e
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,126 @@
> +
> +policy_module(puppet,0.0.1)
> +
> +#####################################################
> +## Declarations
> +#
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t,puppet_exec_t)
> +
> +type puppetd_initrc_exec_t;
> +init_script_file(puppetd_initrc_exec_t);
> +
> +type puppet_bin_t;
> +application_executable_file(puppet_bin_t)
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +############################################################
> +# Puppet Client Local Policy
> +
> +puppet_read_puppet_config(puppet_t)
> +puppet_manage_puppet_files(puppet_t)
> +
> +## stop/start all services
> +init_domtrans_script(puppet_t)
> +init_all_labeled_script_domtrans(puppet_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppet_t)
> +
> +## allow client to bind and send data on high ports
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +corenet_tcp_sendrecv_all_ports(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +
> +miscfiles_read_localization(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_list_tmp(puppet_t)
> +dev_read_urand(puppet_t)
> +dev_read_rand(puppet_t)
> +
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +
> +## send signull to init scripts
> +init_signull_script(puppet_t)
> +
> +## connect to puppet port (on server)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corecmd_exec_shell(puppet_t)
> +hostname_exec(puppet_t)
> +usermanage_domtrans_groupadd(puppet_t)
> +usermanage_domtrans_useradd(puppet_t)
> +sysnet_run_ifconfig(puppet_t,system_r)
> +sysnet_dns_name_resolve(puppet_t)
> +
> +## set selinux booleans
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +seutil_domtrans_setfiles(puppet_t)
> +selinux_getattr_fs(puppet_t)
> +selinux_search_fs(puppet_t)
> +corecmd_bin_entry_type(puppet_t)
> +
> +## manage file contexts
> +seutil_manage_file_contexts(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +## load/manage selinux policy
> +seutil_domtrans_semanage(puppet_t)
> +
> +## read/write in the selinux policy directory
> +seutil_manage_default_contexts(puppet_t)
> +
> +# lspci
> +dev_read_sysfs(puppet_t)
> +miscfiles_read_hwdata(puppet_t)
> +
> +# uptime
> +init_read_utmp(puppet_t)
> +
> +# rpm/yum
> +rpm_domtrans(puppet_t)
> +
> +## ps
> +domain_read_all_domains_state(puppet_t)
> +
> +## squash AVS when puppet redirects tools stdout to /dev/null
> +puppet_dontaudit_fd_use(domain)
> +
> +## execute consoletype in consoletype domain
> +consoletype_domtrans(puppet_t)
> +
> +## puppet needs to be able to manage arbitrary file types
> +auth_manage_all_files_except_shadow(puppet_t)
> +auth_relabel_all_files_except_shadow(puppet_t)
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> diff --git a/policy/modules/services/puppetmaster.fc b/policy/modules/services/puppetmaster.fc
> new file mode 100644
> index 0000000..aba5af6
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.fc
> @@ -0,0 +1,4 @@
> +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t,s0)
> +/usr/bin/puppetrun -- gen_context(system_u:object_r:puppetmaster_bin_t,s0)
> +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetmaster_sbin_t,s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> diff --git a/policy/modules/services/puppetmaster.if b/policy/modules/services/puppetmaster.if
> new file mode 100644
> index 0000000..b40b1bf
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.if
> @@ -0,0 +1 @@
> +## <summary>Puppetmaster daemon</summary>
> diff --git a/policy/modules/services/puppetmaster.te b/policy/modules/services/puppetmaster.te
> new file mode 100644
> index 0000000..96186ab
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.te
> @@ -0,0 +1,73 @@
> +
> +policy_module(puppetmaster,0.0.1)
> +
> +####################################################
> +## Declarations
> +##
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t,puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_bin_t;
> +application_executable_file(puppetmaster_bin_t)
> +
> +type puppetmaster_sbin_t;
> +application_executable_file(puppetmaster_sbin_t)
> +
> +##################################################
> +## Puppetmaster local policy
> +
> +puppet_read_puppet_config(puppetmaster_t)
> +puppet_manage_puppet_files(puppetmaster_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +## basic networking
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +corenet_tcp_sendrecv_all_ports(puppetmaster_t)
> +corenet_tcp_bind_all_nodes(puppetmaster_t)
> +corenet_udp_bind_generic_port(puppetmaster_t)
> +
> +# bind to puppet port
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +# read/exec normal binaries
> +corecmd_exec_bin(puppetmaster_t)
> +
> +# read stuff in proc
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +# ps
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +## read locale files
> +miscfiles_read_localization(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_list_tmp(puppetmaster_t)
> +
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +allow puppetmaster_t self:process { signull signal getsched setsched };
> +allow puppetmaster_t self:socket create;
> +
> +## needed for ssl certificate use
> +dev_read_urand(puppetmaster_t)
> +dev_read_rand(puppetmaster_t)
> +
> +hostname_exec(puppetmaster_t)
> +sysnet_dns_name_resolve(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t,system_r)
> +
> +## rpm /yum
> +rpm_read_db(puppetmaster_t)
> +rpm_domtrans(puppetmaster_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
> ########################################
> ## <summary>
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +
> +optional_policy(`
> + puppet_write_puppet_tmp(ldconfig_t)
> +')
> --
> 1.6.2.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090905/235df1c7/attachment.bin
On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
I already made some modification to my own take of the policy. More modification are probably to follow.
You can find my current (up-to-date) policy for puppet here:
http://82.197.205.60/~dgrift/stuff/modules/puppet/
Again, This policy is untested. there are likely errors left.
> Attached is a new version of a patch adding support for Puppet. The
> patch addresses most of the specific comments from Dominick Grift and
> some additional modifications.
>
> To provide some context for the patch, which I obviously failed to do
> last week, earlier this year I started looking into using configuration
> management systems to manage SELinux clients. As far as I could tell
> everyone managing SELinux clients with Puppet are doing so with the
> client and server services running unconfined. It seemed a bit strange
> that one would manage the configuration of clients, especially SELinux's
> configuration, using unconfined services. The patch is an attempt to
> provide an alternative.
>
> Running puppetmaster in it's own domain is fairly simple as it needs to
> read configuration files, manage some state, and communicate with
> clients. Puppet's client was a bit more difficult, one option was to
> run the client unconfined due to the amount of privilege required to
> manage a system's configuration (add/remove packages, add/remove users,
> update configuration files, restart services, etc), and the other was to
> make an attempt to run the client in a separate domain with a broad but
> not complete set of privileges. The client policy in the patch does a
> bit of both by confining puppet to its own domain and optionally calling
> unconfined_domain at the end.
>
> The majority of testing was performed with the unconfined module not
> loaded, so my expectation is that puppet should work normally whether
> confined or not.
>
> Here's a short summary of the files modified in the patch with a
> one-liner about changes:
>
> services/puppet.* - new policy for Puppet client daemon
>
> services/puppetmaster.* - new policy for Puppet server daemon
>
> system/libraries.te, admin/usermanage.te - allows redirection of
> standard output from ldconfig / groupadd to Puppet temp files.
>
> system/init.if - new interface allowing transition to init script domain
> for all labeled init script types (lets Puppet restart system services
> in the proper domains)
>
> kernel/corenetwork.te.in - adds puppet network port
>
> If additional changes are desired or the patch should be broken up, let
> me know and I will make them.
>
> --
> Craig Grube
>
> >From 131052bb6e402a2f446bd2a7a305cb1e6fd6f98b Mon Sep 17 00:00:00 2001
> From: Craig Grube <[email protected]>
> Date: Wed, 2 Sep 2009 16:27:16 -0400
> Subject: [PATCH 1/1] initial version of puppet CMS policy
>
>
> Signed-off-by: Craig Grube <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 4 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/puppet.fc | 9 ++
> policy/modules/services/puppet.if | 96 +++++++++++++++++++++++
> policy/modules/services/puppet.te | 126 +++++++++++++++++++++++++++++++
> policy/modules/services/puppetmaster.fc | 4 +
> policy/modules/services/puppetmaster.if | 1 +
> policy/modules/services/puppetmaster.te | 73 ++++++++++++++++++
> policy/modules/system/init.if | 20 +++++
> policy/modules/system/libraries.te | 5 +
> 10 files changed, 339 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
> create mode 100644 policy/modules/services/puppetmaster.fc
> create mode 100644 policy/modules/services/puppetmaster.if
> create mode 100644 policy/modules/services/puppetmaster.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..4a73384 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_write_puppet_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 9d100fe..3fa5007 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -155,6 +155,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..0c4b70e
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,9 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
> +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t,s0)
> +/usr/bin/filebucket -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/puppet(.*)? -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/ralsh -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..dccf64a
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,96 @@
> +## <summary>Puppet client daemon</summary>
> +
> +################################################
> +## <summary>
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##
> +################################################
> +interface(`puppet_write_puppet_tmp',`
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> + allow $1 puppet_tmp_t:file rw_file_perms;
> +')
> +
> +###############################################
> +## <summary>
> +## Don't audit attempts to use puppet file
> +## descriptors. This pops up when puppet
> +## runs command line tools and redirects
> +## the output to /dev/null.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not be audited
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_dontaudit_fd_use',`
> + gen_require(`
> + type puppet_t;
> + ')
> + dontaudit $1 puppet_t:fd use;
> +')
> +
> +###############################################
> +## <summary>
> +## Read puppet configuration files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +###############################################
> +interface(`puppet_read_puppet_config',`
> + gen_require(`
> + type puppet_etc_t;
> + ')
> + read_files_pattern($1, puppet_etc_t, puppet_etc_t)
> + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
> +')
> +
> +
> +##############################################
> +## <summary>
> +## Manage various types of puppet related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +##############################################
> +interface(`puppet_manage_puppet_files',`
> + gen_require(`
> + type puppet_var_lib_t;
> + type puppet_var_run_t;
> + type puppet_log_t;
> + type puppet_tmp_t;
> + ')
> +
> + manage_dirs_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> + manage_files_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> +
> + manage_dirs_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + manage_files_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + files_pid_filetrans($1,puppet_var_run_t, { file dir })
> +
> + manage_dirs_pattern($1,puppet_log_t, puppet_log_t)
> + manage_files_pattern($1,puppet_log_t, puppet_log_t)
> + logging_log_filetrans($1,puppet_log_t, { file dir })
> +
> + manage_dirs_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + manage_files_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + files_tmp_filetrans($1, puppet_tmp_t, { file dir })
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..cd3fe5e
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,126 @@
> +
> +policy_module(puppet,0.0.1)
> +
> +#####################################################
> +## Declarations
> +#
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t,puppet_exec_t)
> +
> +type puppetd_initrc_exec_t;
> +init_script_file(puppetd_initrc_exec_t);
> +
> +type puppet_bin_t;
> +application_executable_file(puppet_bin_t)
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +############################################################
> +# Puppet Client Local Policy
> +
> +puppet_read_puppet_config(puppet_t)
> +puppet_manage_puppet_files(puppet_t)
> +
> +## stop/start all services
> +init_domtrans_script(puppet_t)
> +init_all_labeled_script_domtrans(puppet_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppet_t)
> +
> +## allow client to bind and send data on high ports
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +corenet_tcp_sendrecv_all_ports(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +
> +miscfiles_read_localization(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_list_tmp(puppet_t)
> +dev_read_urand(puppet_t)
> +dev_read_rand(puppet_t)
> +
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +
> +## send signull to init scripts
> +init_signull_script(puppet_t)
> +
> +## connect to puppet port (on server)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corecmd_exec_shell(puppet_t)
> +hostname_exec(puppet_t)
> +usermanage_domtrans_groupadd(puppet_t)
> +usermanage_domtrans_useradd(puppet_t)
> +sysnet_run_ifconfig(puppet_t,system_r)
> +sysnet_dns_name_resolve(puppet_t)
> +
> +## set selinux booleans
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +seutil_domtrans_setfiles(puppet_t)
> +selinux_getattr_fs(puppet_t)
> +selinux_search_fs(puppet_t)
> +corecmd_bin_entry_type(puppet_t)
> +
> +## manage file contexts
> +seutil_manage_file_contexts(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +## load/manage selinux policy
> +seutil_domtrans_semanage(puppet_t)
> +
> +## read/write in the selinux policy directory
> +seutil_manage_default_contexts(puppet_t)
> +
> +# lspci
> +dev_read_sysfs(puppet_t)
> +miscfiles_read_hwdata(puppet_t)
> +
> +# uptime
> +init_read_utmp(puppet_t)
> +
> +# rpm/yum
> +rpm_domtrans(puppet_t)
> +
> +## ps
> +domain_read_all_domains_state(puppet_t)
> +
> +## squash AVS when puppet redirects tools stdout to /dev/null
> +puppet_dontaudit_fd_use(domain)
> +
> +## execute consoletype in consoletype domain
> +consoletype_domtrans(puppet_t)
> +
> +## puppet needs to be able to manage arbitrary file types
> +auth_manage_all_files_except_shadow(puppet_t)
> +auth_relabel_all_files_except_shadow(puppet_t)
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> diff --git a/policy/modules/services/puppetmaster.fc b/policy/modules/services/puppetmaster.fc
> new file mode 100644
> index 0000000..aba5af6
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.fc
> @@ -0,0 +1,4 @@
> +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t,s0)
> +/usr/bin/puppetrun -- gen_context(system_u:object_r:puppetmaster_bin_t,s0)
> +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetmaster_sbin_t,s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> diff --git a/policy/modules/services/puppetmaster.if b/policy/modules/services/puppetmaster.if
> new file mode 100644
> index 0000000..b40b1bf
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.if
> @@ -0,0 +1 @@
> +## <summary>Puppetmaster daemon</summary>
> diff --git a/policy/modules/services/puppetmaster.te b/policy/modules/services/puppetmaster.te
> new file mode 100644
> index 0000000..96186ab
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.te
> @@ -0,0 +1,73 @@
> +
> +policy_module(puppetmaster,0.0.1)
> +
> +####################################################
> +## Declarations
> +##
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t,puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_bin_t;
> +application_executable_file(puppetmaster_bin_t)
> +
> +type puppetmaster_sbin_t;
> +application_executable_file(puppetmaster_sbin_t)
> +
> +##################################################
> +## Puppetmaster local policy
> +
> +puppet_read_puppet_config(puppetmaster_t)
> +puppet_manage_puppet_files(puppetmaster_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +## basic networking
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +corenet_tcp_sendrecv_all_ports(puppetmaster_t)
> +corenet_tcp_bind_all_nodes(puppetmaster_t)
> +corenet_udp_bind_generic_port(puppetmaster_t)
> +
> +# bind to puppet port
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +# read/exec normal binaries
> +corecmd_exec_bin(puppetmaster_t)
> +
> +# read stuff in proc
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +# ps
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +## read locale files
> +miscfiles_read_localization(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_list_tmp(puppetmaster_t)
> +
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +allow puppetmaster_t self:process { signull signal getsched setsched };
> +allow puppetmaster_t self:socket create;
> +
> +## needed for ssl certificate use
> +dev_read_urand(puppetmaster_t)
> +dev_read_rand(puppetmaster_t)
> +
> +hostname_exec(puppetmaster_t)
> +sysnet_dns_name_resolve(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t,system_r)
> +
> +## rpm /yum
> +rpm_read_db(puppetmaster_t)
> +rpm_domtrans(puppetmaster_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access
> +## </summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
> ########################################
> ## <summary>
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +
> +optional_policy(`
> + puppet_write_puppet_tmp(ldconfig_t)
> +')
> --
> 1.6.2.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090905/895fee43/attachment-0001.bin
I tested the policy and attached a modified version that mostly works.
The main issue I encountered was puppetmaster's level of access to types
puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were insufficient. I
replicated puppet's accesses for puppetmaster and it works.
There are still some AVCs being generated including these:
For puppetmaster:
- Wants write, read, setattr to puppet_log_t files.
For puppet:
- Appears to redirect output (not sure at this point if stderr or
stdout) from system utilities to /dev/null which results in AVCs like this:
type=AVC msg=audit(1252178670.560:136): avc: denied { use } for
pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400
scontext=system_u:system_r:insmod_t tcontext=system_u:system_r:puppet_t
tclass=fd
I am seening these for insmod_t, ldconfig_t, initrc_t, and rpm_script_t.
I had a 'dontaudit domain puppet_t:fd use' to squash these AVCs,
which does not appear from my testing to negatively effect puppet.
Craig
Dominick Grift wrote:
> On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
>
> I already made some modification to my own take of the policy. More modification are probably to follow.
> You can find my current (up-to-date) policy for puppet here:
>
> http://82.197.205.60/~dgrift/stuff/modules/puppet/
>
> Again, This policy is untested. there are likely errors left.
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: puppet.te
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090906/fea51656/attachment.pl
On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
> I tested the policy and attached a modified version that mostly works.
> The main issue I encountered was puppetmaster's level of access to types
> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were insufficient. I
> replicated puppet's accesses for puppetmaster and it works.
So who owns these files? puppet or puppetmaster? Do they both create them (both own them?)
>
> There are still some AVCs being generated including these:
>
> For puppetmaster:
> - Wants write, read, setattr to puppet_log_t files.
writing to log files is a bad idea. puppetmaster should append instead of writing. (consider reporting that to puppet) if puppetmaster can write to its log files it can potentially wipe its trail.
> For puppet:
> - Appears to redirect output (not sure at this point if stderr or
> stdout) from system utilities to /dev/null which results in AVCs like
> this:
>
> type=AVC msg=audit(1252178670.560:136): avc: denied { use } for
> pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400
> scontext=system_u:system_r:insmod_t tcontext=system_u:system_r:puppet_t
> tclass=fd
>
> I am seening these for insmod_t, ldconfig_t, initrc_t, and rpm_script_t.
> I had a 'dontaudit domain puppet_t:fd use' to squash these AVCs, which
> does not appear from my testing to negatively effect puppet.
ok if required i guessno harm in adding it. however is there no interface available that you can use?
check the domain interface file for that
>
> Craig
>
> Dominick Grift wrote:
>> On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
>>
>> I already made some modification to my own take of the policy. More modification are probably to follow.
>> You can find my current (up-to-date) policy for puppet here:
>>
>> http://82.197.205.60/~dgrift/stuff/modules/puppet/
>>
>> Again, This policy is untested. there are likely errors left.
>>
>
> policy_module(puppet, 0.0.1)
>
> ########################################
> #
> # Puppet personal declarations
> #
>
> type puppet_t;
> type puppet_exec_t;
> init_daemon_domain(puppet_t, puppet_exec_t)
>
> type puppet_initrc_exec_t;
> init_script_file(puppet_initrc_exec_t);
>
> type puppet_log_t;
> logging_log_file(puppet_log_t)
>
> type puppet_var_lib_t;
> files_type(puppet_var_lib_t)
>
> type puppet_var_run_t;
> files_pid_file(puppet_var_run_t)
>
> type puppet_etc_t;
> files_config_file(puppet_etc_t)
>
> type puppet_tmp_t;
> files_tmp_file(puppet_tmp_t)
>
> ########################################
> #
> # Pupper master personal declarations
> #
>
> type puppetmaster_t;
> type puppetmaster_exec_t;
> init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
>
> type puppetmasterd_initrc_exec_t;
> init_script_file(puppetmasterd_initrc_exec_t)
>
> ########################################
> #
> # Puppet personal policy
> #
>
> allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:tcp_socket create_stream_socket_perms;
> allow puppet_t self:udp_socket create_socket_perms;
>
> search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
>
> manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
>
> manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
>
> manage_dirs_pattern(puppet_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
>
> manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
>
> auth_manage_all_files_except_shadow(puppet_t)
> auth_relabel_all_files_except_shadow(puppet_t)
>
> corenet_sendrecv_puppet_client_packets(puppet_t)
> corenet_tcp_connect_puppet_port(puppet_t)
>
> corenet_all_recvfrom_netlabel(puppet_t)
> corenet_all_recvfrom_unlabeled(puppet_t)
>
> corenet_tcp_sendrecv_all_if(puppet_t)
> corenet_tcp_sendrecv_all_nodes(puppet_t)
>
> corenet_tcp_bind_all_nodes(puppet_t)
>
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
>
> dev_read_rand(puppet_t)
> dev_read_sysfs(puppet_t)
> dev_read_urand(puppet_t)
>
> domain_read_all_domains_state(puppet_t)
>
> files_read_etc_files(puppet_t)
>
> hostname_exec(puppet_t)
>
> init_all_labeled_script_domtrans(puppet_t)
> init_domtrans_script(puppet_t)
> init_read_utmp(puppet_t)
> init_signull_script(puppet_t)
>
> kernel_dontaudit_search_sysctl(puppet_t)
> kernel_dontaudit_search_kernel_sysctl(puppet_t)
>
> kernel_read_system_state(puppet_t)
> kernel_read_crypto_sysctls(puppet_t)
>
> logging_send_syslog_msg(puppet_t)
>
> miscfiles_read_hwdata(puppet_t)
> miscfiles_read_localization(puppet_t)
>
> selinux_search_fs(puppet_t)
> selinux_set_all_booleans(puppet_t)
> selinux_set_generic_booleans(puppet_t)
>
> seutil_domtrans_setfiles(puppet_t)
> seutil_domtrans_semanage(puppet_t)
> seutil_manage_default_contexts(puppet_t)
> seutil_manage_file_contexts(puppet_t)
>
> sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
>
> usermanage_domtrans_groupadd(puppet_t)
> usermanage_domtrans_useradd(puppet_t)
>
> optional_policy(`
> consoletype_domtrans(puppet_t)
> ')
>
> optional_policy(`
> rpm_domtrans(puppet_t)
> ')
>
> optional_policy(`
> unconfined_domain(puppet_t)
> ')
>
> ########################################
> #
> # Pupper master personal policy
> #
>
> allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppetmaster_t self:process signal_perms;
> allow puppetmaster_t self:socket create;
> allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> allow puppetmaster_t self:udp_socket create_socket_perms;
>
> list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
>
> manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
>
> manage_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
>
> manage_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>
> manage_dirs_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
> manage_files_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
> files_tmp_filetrans(puppetmaster_t, puppet_tmp_t, { file dir })
>
> corenet_sendrecv_puppet_server_packets(puppetmaster_t)
> corenet_tcp_bind_puppet_port(puppetmaster_t)
>
> corenet_all_recvfrom_netlabel(puppetmaster_t)
> corenet_all_recvfrom_unlabeled(puppetmaster_t)
>
> corenet_tcp_sendrecv_all_if(puppetmaster_t)
> corenet_tcp_sendrecv_all_nodes(puppetmaster_t)
>
> corenet_tcp_bind_all_nodes(puppetmaster_t)
>
> corecmd_exec_bin(puppetmaster_t)
> corecmd_exec_shell(puppetmaster_t)
>
> files_read_etc_files(puppetmaster_t)
>
> dev_read_rand(puppetmaster_t)
> dev_read_urand(puppetmaster_t)
>
> domain_read_all_domains_state(puppetmaster_t)
>
> hostname_exec(puppetmaster_t)
>
> kernel_read_system_state(puppetmaster_t)
> kernel_read_crypto_sysctls(puppetmaster_t)
>
> logging_send_syslog_msg(puppetmaster_t)
>
> miscfiles_read_localization(puppetmaster_t)
>
> sysnet_dns_name_resolve(puppetmaster_t)
> sysnet_run_ifconfig(puppetmaster_t, system_r)
>
> optional_policy(`
> rpm_domtrans(puppetmaster_t)
> rpm_read_db(puppetmaster_t)
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090906/5745a543/attachment-0001.bin
On Sep 6, 2009, at 12:23 PM, Dominick Grift wrote:
> On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
>> I tested the policy and attached a modified version that mostly
>> works.
>> The main issue I encountered was puppetmaster's level of access to
>> types
>> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were
>> insufficient. I
>> replicated puppet's accesses for puppetmaster and it works.
>
> So who owns these files? puppet or puppetmaster? Do they both create
> them (both own them?)
The short answer is they both create and own these files.
The long answer the client and server typically both use the same
paths. It looks as though in Fedora, Gentoo and SUSE pid files are
in /var/run/puppet/ (based on distribution specific configuration
files in the puppet source repository). The same for /var/log/
puppet. The client and server both use /var/lib/puppet for storing
state information. Puppetmaster stores CA related files, client
certificates, parsed client configurations. Puppet stores
certificates, last retrieved configuration, and backups of changed
files.
For the distributions I've looked at, ubuntu and fedora, the client
package is a dependency of the server package, which was part of my
reasoning for associating shared areas of the file system with the
puppet client and then provide the puppetmaster with access.
>> For puppet:
>> - Appears to redirect output (not sure at this point if stderr or
>> stdout) from system utilities to /dev/null which results in AVCs like
>> this:
>>
>> type=AVC msg=audit(1252178670.560:136): avc: denied { use } for
>> pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400
>> scontext=system_u:system_r:insmod_t
>> tcontext=system_u:system_r:puppet_t
>> tclass=fd
>>
>> I am seening these for insmod_t, ldconfig_t, initrc_t, and
>> rpm_script_t.
>> I had a 'dontaudit domain puppet_t:fd use' to squash these AVCs,
>> which
>> does not appear from my testing to negatively effect puppet.
> ok if required i guessno harm in adding it. however is there no
> interface available that you can use?
> check the domain interface file for that
I did not notice these before, but does is seem reasonable to use
domain_interactive_fd(puppet_t) in the puppet policy and add
domain_use_interactive_fds in the modules controlling the before
mentioned types?
Craig
On Mon, Sep 07, 2009 at 02:39:08PM -0400, Craig Grube wrote:
> On Sep 6, 2009, at 12:23 PM, Dominick Grift wrote:
> > On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
> >> I tested the policy and attached a modified version that mostly
> >> works.
> >> The main issue I encountered was puppetmaster's level of access to
> >> types
> >> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were
> >> insufficient. I
> >> replicated puppet's accesses for puppetmaster and it works.
> >
> > So who owns these files? puppet or puppetmaster? Do they both create
> > them (both own them?)
>
> The short answer is they both create and own these files.
>
> The long answer the client and server typically both use the same
> paths. It looks as though in Fedora, Gentoo and SUSE pid files are
> in /var/run/puppet/ (based on distribution specific configuration
> files in the puppet source repository). The same for /var/log/
> puppet. The client and server both use /var/lib/puppet for storing
> state information. Puppetmaster stores CA related files, client
> certificates, parsed client configurations. Puppet stores
> certificates, last retrieved configuration, and backups of changed
> files.
>
> For the distributions I've looked at, ubuntu and fedora, the client
> package is a dependency of the server package, which was part of my
> reasoning for associating shared areas of the file system with the
> puppet client and then provide the puppetmaster with access.
I see. But the permissions in those location can probably still be tightened. Do they really need to create dirs? or are those dirs already installed by the rpm package?
>
> >> For puppet:
> >> - Appears to redirect output (not sure at this point if stderr or
> >> stdout) from system utilities to /dev/null which results in AVCs like
> >> this:
> >>
> >> type=AVC msg=audit(1252178670.560:136): avc: denied { use } for
> >> pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400
> >> scontext=system_u:system_r:insmod_t
> >> tcontext=system_u:system_r:puppet_t
> >> tclass=fd
> >>
> >> I am seening these for insmod_t, ldconfig_t, initrc_t, and
> >> rpm_script_t.
> >> I had a 'dontaudit domain puppet_t:fd use' to squash these AVCs,
> >> which
> >> does not appear from my testing to negatively effect puppet.
> > ok if required i guessno harm in adding it. however is there no
> > interface available that you can use?
> > check the domain interface file for that
>
> I did not notice these before, but does is seem reasonable to use
> domain_interactive_fd(puppet_t) in the puppet policy and add
> domain_use_interactive_fds in the modules controlling the before
> mentioned types?
Yes my bet is that using that interface is the better solution and if required should be called in the modules that needs it.`:
>
> Craig
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/8f5d387f/attachment.bin
On Sep 8, 2009, at 6:28 AM, Dominick Grift wrote:
> On Mon, Sep 07, 2009 at 02:39:08PM -0400, Craig Grube wrote:
>> On Sep 6, 2009, at 12:23 PM, Dominick Grift wrote:
>>> On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
>>>> I tested the policy and attached a modified version that mostly
>>>> works.
>>>> The main issue I encountered was puppetmaster's level of access to
>>>> types
>>>> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were
>>>> insufficient. I
>>>> replicated puppet's accesses for puppetmaster and it works.
>>>
>>> So who owns these files? puppet or puppetmaster? Do they both create
>>> them (both own them?)
>>
>> The short answer is they both create and own these files.
>>
>> The long answer the client and server typically both use the same
>> paths. It looks as though in Fedora, Gentoo and SUSE pid files are
>> in /var/run/puppet/ (based on distribution specific configuration
>> files in the puppet source repository). The same for /var/log/
>> puppet. The client and server both use /var/lib/puppet for storing
>> state information. Puppetmaster stores CA related files, client
>> certificates, parsed client configurations. Puppet stores
>> certificates, last retrieved configuration, and backups of changed
>> files.
>>
>> For the distributions I've looked at, ubuntu and fedora, the client
>> package is a dependency of the server package, which was part of my
>> reasoning for associating shared areas of the file system with the
>> puppet client and then provide the puppetmaster with access.
>
> I see. But the permissions in those location can probably still be
> tightened. Do they really need to create dirs? or are those dirs
> already installed by the rpm package?
They need to manage puppet_var_lib_t as both the client and server add/
remove files/directories in /var/lib/puppet, so they need to be able
to manage files and directories of that type. /var/log/puppet and /
var/run/puppet are created by the rpm and puppet/puppetmaster only add/
remove files in these directories. I trimmed the directory
permissions back to rw_dir_perms, setattr_dir_perms and left the file
permissions alone. I didn't encounter issues during testing with
these permissions.
>> I did not notice these before, but does is seem reasonable to use
>> domain_interactive_fd(puppet_t) in the puppet policy and add
>> domain_use_interactive_fds in the modules controlling the before
>> mentioned types?
>
> Yes my bet is that using that interface is the better solution and
> if required should be called in the modules that needs it.`:
I added domain_interactive_fd, the other modules already had
domain_use_interactive_fds, which cleared up the issue with
redirection to /dev/null.
I also tracked down most of the remaining audit errors and made
additions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: puppet.te
Type: application/octet-stream
Size: 6878 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/81744b5c/attachment.obj
-------------- next part --------------
On Tue, Sep 08, 2009 at 07:23:57PM -0400, Craig Grube wrote:
looks good to me, One thing that may or or may not be improved is that some of the called interfaces in puppet.te may be optional_policy. To figure that out requires a bit of investigation. You could look up the interface calls in other established refpolicy modules and see whether they are optional there. If they are: wrap them in a optional_policy block and move the blocks below where the other optional policy is (in alphabetical order)
But from my point of view the policy looks rather nice now.
>
> On Sep 8, 2009, at 6:28 AM, Dominick Grift wrote:
>> On Mon, Sep 07, 2009 at 02:39:08PM -0400, Craig Grube wrote:
>>> On Sep 6, 2009, at 12:23 PM, Dominick Grift wrote:
>>>> On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
>>>>> I tested the policy and attached a modified version that mostly
>>>>> works.
>>>>> The main issue I encountered was puppetmaster's level of access to
>>>>> types
>>>>> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were
>>>>> insufficient. I
>>>>> replicated puppet's accesses for puppetmaster and it works.
>>>>
>>>> So who owns these files? puppet or puppetmaster? Do they both create
>>>> them (both own them?)
>>>
>>> The short answer is they both create and own these files.
>>>
>>> The long answer the client and server typically both use the same
>>> paths. It looks as though in Fedora, Gentoo and SUSE pid files are
>>> in /var/run/puppet/ (based on distribution specific configuration
>>> files in the puppet source repository). The same for /var/log/
>>> puppet. The client and server both use /var/lib/puppet for storing
>>> state information. Puppetmaster stores CA related files, client
>>> certificates, parsed client configurations. Puppet stores
>>> certificates, last retrieved configuration, and backups of changed
>>> files.
>>>
>>> For the distributions I've looked at, ubuntu and fedora, the client
>>> package is a dependency of the server package, which was part of my
>>> reasoning for associating shared areas of the file system with the
>>> puppet client and then provide the puppetmaster with access.
>>
>> I see. But the permissions in those location can probably still be
>> tightened. Do they really need to create dirs? or are those dirs
>> already installed by the rpm package?
>
> They need to manage puppet_var_lib_t as both the client and server add/
> remove files/directories in /var/lib/puppet, so they need to be able to
> manage files and directories of that type. /var/log/puppet and /
> var/run/puppet are created by the rpm and puppet/puppetmaster only add/
> remove files in these directories. I trimmed the directory permissions
> back to rw_dir_perms, setattr_dir_perms and left the file permissions
> alone. I didn't encounter issues during testing with these permissions.
>
>>> I did not notice these before, but does is seem reasonable to use
>>> domain_interactive_fd(puppet_t) in the puppet policy and add
>>> domain_use_interactive_fds in the modules controlling the before
>>> mentioned types?
>>
>> Yes my bet is that using that interface is the better solution and if
>> required should be called in the modules that needs it.`:
>
>
> I added domain_interactive_fd, the other modules already had
> domain_use_interactive_fds, which cleared up the issue with redirection
> to /dev/null.
>
> I also tracked down most of the remaining audit errors and made
> additions.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090909/355d904f/attachment.bin
Thanks. I'll take a look at what interfaces can be optional_policy
when I get back from some travel and will resubmit the patch after
another round of testing.
Craig
On Sep 9, 2009, at 5:07 AM, Dominick Grift wrote:
> looks good to me, One thing that may or or may not be improved is
> that some of the called interfaces in puppet.te may be
> optional_policy. To figure that out requires a bit of investigation.
> You could look up the interface calls in other established refpolicy
> modules and see whether they are optional there. If they are: wrap
> them in a optional_policy block and move the blocks below where the
> other optional policy is (in alphabetical order)
>
> But from my point of view the policy looks rather nice now.