## Puppet is a configuration management system written in Ruby.
## The client daemon is responsible for periodically requesting the ## desired system state from the server and ensuring the state of ## the client system matches. ##
##
################################################
##
## Read / Write to Puppet temp files. Puppet uses
## some system binaries (groupadd, etc) that run in
## a non-puppet domain and redirects output into temp
## files.
##
##
##
## Domain allowed access
##
##
##
interface(`puppet_write_puppet_tmp', `
gen_require(`
type puppet_tmp_t;
')
allow $1 puppet_tmp_t:file rw_file_perms;
files_search_tmp($1)
')
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
> Attached is a new version of a patch adding support for Puppet. The
> patch addresses most of the specific comments from Dominick Grift and
> some additional modifications.
>
> To provide some context for the patch, which I obviously failed to do
> last week, earlier this year I started looking into using configuration
> management systems to manage SELinux clients. As far as I could tell
> everyone managing SELinux clients with Puppet are doing so with the
> client and server services running unconfined. It seemed a bit strange
> that one would manage the configuration of clients, especially SELinux's
> configuration, using unconfined services. The patch is an attempt to
> provide an alternative.
>
> Running puppetmaster in it's own domain is fairly simple as it needs to
> read configuration files, manage some state, and communicate with
> clients. Puppet's client was a bit more difficult, one option was to
> run the client unconfined due to the amount of privilege required to
> manage a system's configuration (add/remove packages, add/remove users,
> update configuration files, restart services, etc), and the other was to
> make an attempt to run the client in a separate domain with a broad but
> not complete set of privileges. The client policy in the patch does a
> bit of both by confining puppet to its own domain and optionally calling
> unconfined_domain at the end.
>
> The majority of testing was performed with the unconfined module not
> loaded, so my expectation is that puppet should work normally whether
> confined or not.
>
> Here's a short summary of the files modified in the patch with a
> one-liner about changes:
>
> services/puppet.* - new policy for Puppet client daemon
>
> services/puppetmaster.* - new policy for Puppet server daemon
>
> system/libraries.te, admin/usermanage.te - allows redirection of
> standard output from ldconfig / groupadd to Puppet temp files.
>
> system/init.if - new interface allowing transition to init script domain
> for all labeled init script types (lets Puppet restart system services
> in the proper domains)
>
> kernel/corenetwork.te.in - adds puppet network port
>
> If additional changes are desired or the patch should be broken up, let
> me know and I will make them.
>
> --
> Craig Grube
>
> >From 131052bb6e402a2f446bd2a7a305cb1e6fd6f98b Mon Sep 17 00:00:00 2001
> From: Craig Grube
> Date: Wed, 2 Sep 2009 16:27:16 -0400
> Subject: [PATCH 1/1] initial version of puppet CMS policy
>
>
> Signed-off-by: Craig Grube
> ---
> policy/modules/admin/usermanage.te | 4 +
> policy/modules/kernel/corenetwork.te.in | 1 +
> policy/modules/services/puppet.fc | 9 ++
> policy/modules/services/puppet.if | 96 +++++++++++++++++++++++
> policy/modules/services/puppet.te | 126 +++++++++++++++++++++++++++++++
> policy/modules/services/puppetmaster.fc | 4 +
> policy/modules/services/puppetmaster.if | 1 +
> policy/modules/services/puppetmaster.te | 73 ++++++++++++++++++
> policy/modules/system/init.if | 20 +++++
> policy/modules/system/libraries.te | 5 +
> 10 files changed, 339 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/puppet.fc
> create mode 100644 policy/modules/services/puppet.if
> create mode 100644 policy/modules/services/puppet.te
> create mode 100644 policy/modules/services/puppetmaster.fc
> create mode 100644 policy/modules/services/puppetmaster.if
> create mode 100644 policy/modules/services/puppetmaster.te
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..4a73384 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + puppet_write_puppet_tmp(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 9d100fe..3fa5007 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -155,6 +155,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
> network_port(printer, tcp,515,s0)
> network_port(ptal, tcp,5703,s0)
> network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
> network_port(pxe, udp,4011,s0)
> network_port(pyzor, udp,24441,s0)
> network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..0c4b70e
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,9 @@
> +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
> +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t,s0)
> +/usr/bin/filebucket -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/puppet(.*)? -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/bin/ralsh -- gen_context(system_u:object_r:puppet_bin_t,s0)
> +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> +/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
> +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
> +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..dccf64a
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,96 @@
> +## Puppet client daemon
> +
> +################################################
> +##
> +## Read / Write to Puppet temp files. Puppet uses
> +## some system binaries (groupadd, etc) that run in
> +## a non-puppet domain and redirects output into temp
> +## files.
> +##
> +##
> +##
> +## Domain allowed access
> +##
> +##
> +##
> +################################################
> +interface(`puppet_write_puppet_tmp',`
> + gen_require(`
> + type puppet_tmp_t;
> + ')
> + allow $1 puppet_tmp_t:file rw_file_perms;
> +')
> +
> +###############################################
> +##
> +## Don't audit attempts to use puppet file
> +## descriptors. This pops up when puppet
> +## runs command line tools and redirects
> +## the output to /dev/null.
> +##
> +##
> +##
> +## Domain to not be audited
> +##
> +##
> +###############################################
> +interface(`puppet_dontaudit_fd_use',`
> + gen_require(`
> + type puppet_t;
> + ')
> + dontaudit $1 puppet_t:fd use;
> +')
> +
> +###############################################
> +##
> +## Read puppet configuration files
> +##
> +##
> +##
> +## Domain allowed access
> +##
> +##
> +###############################################
> +interface(`puppet_read_puppet_config',`
> + gen_require(`
> + type puppet_etc_t;
> + ')
> + read_files_pattern($1, puppet_etc_t, puppet_etc_t)
> + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
> +')
> +
> +
> +##############################################
> +##
> +## Manage various types of puppet related
> +## files.
> +##
> +##
> +##
> +## Domain allowed access
> +##
> +##
> +##############################################
> +interface(`puppet_manage_puppet_files',`
> + gen_require(`
> + type puppet_var_lib_t;
> + type puppet_var_run_t;
> + type puppet_log_t;
> + type puppet_tmp_t;
> + ')
> +
> + manage_dirs_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> + manage_files_pattern($1,puppet_var_lib_t, puppet_var_lib_t)
> +
> + manage_dirs_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + manage_files_pattern($1,puppet_var_run_t, puppet_var_run_t)
> + files_pid_filetrans($1,puppet_var_run_t, { file dir })
> +
> + manage_dirs_pattern($1,puppet_log_t, puppet_log_t)
> + manage_files_pattern($1,puppet_log_t, puppet_log_t)
> + logging_log_filetrans($1,puppet_log_t, { file dir })
> +
> + manage_dirs_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + manage_files_pattern($1, puppet_tmp_t, puppet_tmp_t)
> + files_tmp_filetrans($1, puppet_tmp_t, { file dir })
> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..cd3fe5e
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,126 @@
> +
> +policy_module(puppet,0.0.1)
> +
> +#####################################################
> +## Declarations
> +#
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t,puppet_exec_t)
> +
> +type puppetd_initrc_exec_t;
> +init_script_file(puppetd_initrc_exec_t);
> +
> +type puppet_bin_t;
> +application_executable_file(puppet_bin_t)
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +############################################################
> +# Puppet Client Local Policy
> +
> +puppet_read_puppet_config(puppet_t)
> +puppet_manage_puppet_files(puppet_t)
> +
> +## stop/start all services
> +init_domtrans_script(puppet_t)
> +init_all_labeled_script_domtrans(puppet_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppet_t)
> +
> +## allow client to bind and send data on high ports
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +corenet_tcp_sendrecv_all_ports(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +
> +miscfiles_read_localization(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_list_tmp(puppet_t)
> +dev_read_urand(puppet_t)
> +dev_read_rand(puppet_t)
> +
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +
> +## send signull to init scripts
> +init_signull_script(puppet_t)
> +
> +## connect to puppet port (on server)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corecmd_exec_shell(puppet_t)
> +hostname_exec(puppet_t)
> +usermanage_domtrans_groupadd(puppet_t)
> +usermanage_domtrans_useradd(puppet_t)
> +sysnet_run_ifconfig(puppet_t,system_r)
> +sysnet_dns_name_resolve(puppet_t)
> +
> +## set selinux booleans
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +seutil_domtrans_setfiles(puppet_t)
> +selinux_getattr_fs(puppet_t)
> +selinux_search_fs(puppet_t)
> +corecmd_bin_entry_type(puppet_t)
> +
> +## manage file contexts
> +seutil_manage_file_contexts(puppet_t)
> +seutil_domtrans_semanage(puppet_t)
> +
> +## load/manage selinux policy
> +seutil_domtrans_semanage(puppet_t)
> +
> +## read/write in the selinux policy directory
> +seutil_manage_default_contexts(puppet_t)
> +
> +# lspci
> +dev_read_sysfs(puppet_t)
> +miscfiles_read_hwdata(puppet_t)
> +
> +# uptime
> +init_read_utmp(puppet_t)
> +
> +# rpm/yum
> +rpm_domtrans(puppet_t)
> +
> +## ps
> +domain_read_all_domains_state(puppet_t)
> +
> +## squash AVS when puppet redirects tools stdout to /dev/null
> +puppet_dontaudit_fd_use(domain)
> +
> +## execute consoletype in consoletype domain
> +consoletype_domtrans(puppet_t)
> +
> +## puppet needs to be able to manage arbitrary file types
> +auth_manage_all_files_except_shadow(puppet_t)
> +auth_relabel_all_files_except_shadow(puppet_t)
> +
> +optional_policy(`
> + unconfined_domain(puppet_t)
> +')
> +
> diff --git a/policy/modules/services/puppetmaster.fc b/policy/modules/services/puppetmaster.fc
> new file mode 100644
> index 0000000..aba5af6
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.fc
> @@ -0,0 +1,4 @@
> +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t,s0)
> +/usr/bin/puppetrun -- gen_context(system_u:object_r:puppetmaster_bin_t,s0)
> +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetmaster_sbin_t,s0)
> +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
> diff --git a/policy/modules/services/puppetmaster.if b/policy/modules/services/puppetmaster.if
> new file mode 100644
> index 0000000..b40b1bf
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.if
> @@ -0,0 +1 @@
> +## Puppetmaster daemon
> diff --git a/policy/modules/services/puppetmaster.te b/policy/modules/services/puppetmaster.te
> new file mode 100644
> index 0000000..96186ab
> --- /dev/null
> +++ b/policy/modules/services/puppetmaster.te
> @@ -0,0 +1,73 @@
> +
> +policy_module(puppetmaster,0.0.1)
> +
> +####################################################
> +## Declarations
> +##
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t,puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_bin_t;
> +application_executable_file(puppetmaster_bin_t)
> +
> +type puppetmaster_sbin_t;
> +application_executable_file(puppetmaster_sbin_t)
> +
> +##################################################
> +## Puppetmaster local policy
> +
> +puppet_read_puppet_config(puppetmaster_t)
> +puppet_manage_puppet_files(puppetmaster_t)
> +
> +## syslog
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +## basic networking
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +corenet_tcp_sendrecv_all_ports(puppetmaster_t)
> +corenet_tcp_bind_all_nodes(puppetmaster_t)
> +corenet_udp_bind_generic_port(puppetmaster_t)
> +
> +# bind to puppet port
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +# read/exec normal binaries
> +corecmd_exec_bin(puppetmaster_t)
> +
> +# read stuff in proc
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +# ps
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +## read locale files
> +miscfiles_read_localization(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_list_tmp(puppetmaster_t)
> +
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +allow puppetmaster_t self:process { signull signal getsched setsched };
> +allow puppetmaster_t self:socket create;
> +
> +## needed for ssl certificate use
> +dev_read_urand(puppetmaster_t)
> +dev_read_rand(puppetmaster_t)
> +
> +hostname_exec(puppetmaster_t)
> +sysnet_dns_name_resolve(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t,system_r)
> +
> +## rpm /yum
> +rpm_read_db(puppetmaster_t)
> +rpm_domtrans(puppetmaster_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
> files_search_etc($1)
> ')
>
> +#########################################
> +##
> +## Transition to the init script domain
> +## for all labeled init script types
> +##
> +##
> +##
> +## Domain allowed access
> +##
> +##
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
> ########################################
> ##
> ## Start and stop daemon programs directly.
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +
> +optional_policy(`
> + puppet_write_puppet_tmp(ldconfig_t)
> +')
> --
> 1.6.2.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090905/235df1c7/attachment.bin