From: Craig.Grube@cobham.com (Craig Grube) Date: Fri, 04 Sep 2009 08:24:16 -0400 Subject: [refpolicy] puppet.patch - updated Message-ID: <4AA106F0.9000603@cobham.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Attached is a new version of a patch adding support for Puppet. The patch addresses most of the specific comments from Dominick Grift and some additional modifications. To provide some context for the patch, which I obviously failed to do last week, earlier this year I started looking into using configuration management systems to manage SELinux clients. As far as I could tell everyone managing SELinux clients with Puppet are doing so with the client and server services running unconfined. It seemed a bit strange that one would manage the configuration of clients, especially SELinux's configuration, using unconfined services. The patch is an attempt to provide an alternative. Running puppetmaster in it's own domain is fairly simple as it needs to read configuration files, manage some state, and communicate with clients. Puppet's client was a bit more difficult, one option was to run the client unconfined due to the amount of privilege required to manage a system's configuration (add/remove packages, add/remove users, update configuration files, restart services, etc), and the other was to make an attempt to run the client in a separate domain with a broad but not complete set of privileges. The client policy in the patch does a bit of both by confining puppet to its own domain and optionally calling unconfined_domain at the end. The majority of testing was performed with the unconfined module not loaded, so my expectation is that puppet should work normally whether confined or not. Here's a short summary of the files modified in the patch with a one-liner about changes: services/puppet.* - new policy for Puppet client daemon services/puppetmaster.* - new policy for Puppet server daemon system/libraries.te, admin/usermanage.te - allows redirection of standard output from ldconfig / groupadd to Puppet temp files. system/init.if - new interface allowing transition to init script domain for all labeled init script types (lets Puppet restart system services in the proper domains) kernel/corenetwork.te.in - adds puppet network port If additional changes are desired or the patch should be broken up, let me know and I will make them. -- Craig Grube -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: puppet.patch Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090904/3c31ff56/attachment.ksh