From: domg472@gmail.com (Dominick Grift)
Date: Sun, 6 Sep 2009 18:23:43 +0200
Subject: [refpolicy] puppet.patch - updated
In-Reply-To: <4AA3E02F.7040500@cobham.com>
References: <4AA106F0.9000603@cobham.com>
	<20090905093847.GB29896@notebook3.grift.internal>
	<4AA3E02F.7040500@cobham.com>
Message-ID: <20090906162341.GA4976@notebook3.grift.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
> I tested the policy and attached a modified version that mostly works.  
> The main issue I encountered was puppetmaster's level of access to types  
> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were insufficient.  I  
> replicated puppet's accesses for puppetmaster and it works.

So who owns these files? puppet or puppetmaster? Do they both create them (both own them?)
>
> There are still some AVCs being generated including these:
>
> For puppetmaster:
> 	- Wants write, read, setattr to puppet_log_t files.

writing to log files is a bad idea. puppetmaster should append  instead of writing. (consider reporting that to puppet) if puppetmaster can write to its log files it can potentially wipe its trail.

> For puppet:
> 	- Appears to redirect output (not sure at this point if stderr or  
> stdout) from system utilities to /dev/null which results in AVCs like 
> this:
>
> type=AVC msg=audit(1252178670.560:136): avc:  denied  { use } for  
> pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400  
> scontext=system_u:system_r:insmod_t tcontext=system_u:system_r:puppet_t  
> tclass=fd
>
> I am seening these for insmod_t, ldconfig_t, initrc_t, and rpm_script_t.  
>  I had a 'dontaudit domain puppet_t:fd use'  to squash these AVCs, which 
> does not appear from my testing to negatively effect puppet.
ok if required i guessno harm in adding it. however is there no interface available that you can use?
check the domain interface file for that
> 	
> Craig
>
> Dominick Grift wrote:
>> On Fri, Sep 04, 2009 at 08:24:16AM -0400, Craig Grube wrote:
>>
>> I already made some modification to my own take of the policy. More modification are probably to follow.
>> You can find my current (up-to-date) policy for puppet here:
>>
>> http://82.197.205.60/~dgrift/stuff/modules/puppet/
>>
>> Again, This policy is untested. there are likely errors left.
>>

> 
> policy_module(puppet, 0.0.1)
> 
> ########################################
> #
> # Puppet personal declarations
> #
> 
> type puppet_t;
> type puppet_exec_t;
> init_daemon_domain(puppet_t, puppet_exec_t)
> 
> type puppet_initrc_exec_t;
> init_script_file(puppet_initrc_exec_t);
> 
> type puppet_log_t;
> logging_log_file(puppet_log_t)
> 
> type puppet_var_lib_t;
> files_type(puppet_var_lib_t)
> 
> type puppet_var_run_t;
> files_pid_file(puppet_var_run_t)
> 
> type puppet_etc_t;
> files_config_file(puppet_etc_t)
> 
> type puppet_tmp_t;
> files_tmp_file(puppet_tmp_t)
> 
> ########################################
> #
> # Pupper master personal declarations
> #
> 
> type puppetmaster_t;
> type puppetmaster_exec_t;
> init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
> 
> type puppetmasterd_initrc_exec_t;
> init_script_file(puppetmasterd_initrc_exec_t)
> 
> ########################################
> #
> # Puppet personal policy
> #
> 
> allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:tcp_socket create_stream_socket_perms;
> allow puppet_t self:udp_socket create_socket_perms;
> 
> search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> 
> manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> 
> manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
> 
> manage_dirs_pattern(puppet_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
> 
> manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
> 
> auth_manage_all_files_except_shadow(puppet_t)
> auth_relabel_all_files_except_shadow(puppet_t)
> 
> corenet_sendrecv_puppet_client_packets(puppet_t)
> corenet_tcp_connect_puppet_port(puppet_t)
> 
> corenet_all_recvfrom_netlabel(puppet_t)
> corenet_all_recvfrom_unlabeled(puppet_t)
> 
> corenet_tcp_sendrecv_all_if(puppet_t)
> corenet_tcp_sendrecv_all_nodes(puppet_t)
> 
> corenet_tcp_bind_all_nodes(puppet_t)
> 
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
> 
> dev_read_rand(puppet_t)
> dev_read_sysfs(puppet_t)
> dev_read_urand(puppet_t)
> 
> domain_read_all_domains_state(puppet_t)
> 
> files_read_etc_files(puppet_t)
> 
> hostname_exec(puppet_t)
> 
> init_all_labeled_script_domtrans(puppet_t)
> init_domtrans_script(puppet_t)
> init_read_utmp(puppet_t)
> init_signull_script(puppet_t)
> 
> kernel_dontaudit_search_sysctl(puppet_t)
> kernel_dontaudit_search_kernel_sysctl(puppet_t)
>                         
> kernel_read_system_state(puppet_t)
> kernel_read_crypto_sysctls(puppet_t)
> 
> logging_send_syslog_msg(puppet_t)
> 
> miscfiles_read_hwdata(puppet_t)
> miscfiles_read_localization(puppet_t)
>                                                                                                              
> selinux_search_fs(puppet_t)
> selinux_set_all_booleans(puppet_t)
> selinux_set_generic_booleans(puppet_t)
> 
> seutil_domtrans_setfiles(puppet_t)
> seutil_domtrans_semanage(puppet_t)                                                                                                                
> seutil_manage_default_contexts(puppet_t)
> seutil_manage_file_contexts(puppet_t)
> 
> sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
> 
> usermanage_domtrans_groupadd(puppet_t)
> usermanage_domtrans_useradd(puppet_t)
> 
> optional_policy(`
> 	consoletype_domtrans(puppet_t)
> ')
>                                                                                                                                          
> optional_policy(`
> 	rpm_domtrans(puppet_t)
> ')
> 
> optional_policy(`
>         unconfined_domain(puppet_t)
> ')
> 
> ########################################
> #
> # Pupper master personal policy
> #
> 
> allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppetmaster_t self:process signal_perms;
> allow puppetmaster_t self:socket create;
> allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> allow puppetmaster_t self:udp_socket create_socket_perms;
> 
> list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> 
> manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
> 
> manage_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
> 
> manage_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
> 
> manage_dirs_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
> manage_files_pattern(puppetmaster_t, puppet_tmp_t, puppet_tmp_t)
> files_tmp_filetrans(puppetmaster_t, puppet_tmp_t, { file dir })
> 
> corenet_sendrecv_puppet_server_packets(puppetmaster_t)
> corenet_tcp_bind_puppet_port(puppetmaster_t)
> 
> corenet_all_recvfrom_netlabel(puppetmaster_t)
> corenet_all_recvfrom_unlabeled(puppetmaster_t)
> 
> corenet_tcp_sendrecv_all_if(puppetmaster_t)
> corenet_tcp_sendrecv_all_nodes(puppetmaster_t)
> 
> corenet_tcp_bind_all_nodes(puppetmaster_t)
> 
> corecmd_exec_bin(puppetmaster_t)
> corecmd_exec_shell(puppetmaster_t)
> 
> files_read_etc_files(puppetmaster_t)
> 
> dev_read_rand(puppetmaster_t)
> dev_read_urand(puppetmaster_t)
> 
> domain_read_all_domains_state(puppetmaster_t)
>                                 
> hostname_exec(puppetmaster_t)
> 
> kernel_read_system_state(puppetmaster_t)
> kernel_read_crypto_sysctls(puppetmaster_t)
> 
> logging_send_syslog_msg(puppetmaster_t)
>                                                                                                                           
> miscfiles_read_localization(puppetmaster_t)
> 
> sysnet_dns_name_resolve(puppetmaster_t)
> sysnet_run_ifconfig(puppetmaster_t, system_r)
> 
> optional_policy(`    
> 	rpm_domtrans(puppetmaster_t)
> 	rpm_read_db(puppetmaster_t)
> ')

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090906/5745a543/attachment-0001.bin