From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 03 Nov 2009 09:50:22 -0500
Subject: [refpolicy] [PATCH 1/1] adding puppet configuration management
 system
In-Reply-To: <1256923303-3593-1-git-send-email-craig.grube@cobham.com>
References: <1256923303-3593-1-git-send-email-craig.grube@cobham.com>
Message-ID: <1257259822.5178.117.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2009-10-30 at 13:21 -0400, craig.grube at cobham.com wrote:
> From: Craig Grube <Craig.Grube@cobham.com>

There are several lines with trailing whitespace that needs to be
cleaned up.  Also, please use tabs instead of multiple spaces.  Other
comments inline.

> Signed-off-by: Craig Grube <Craig.Grube@cobham.com>
> ---
>  policy/modules/admin/usermanage.te      |    8 +
>  policy/modules/kernel/corenetwork.te.in |    1 +
>  policy/modules/kernel/files.if          |   27 ++++
>  policy/modules/kernel/files.te          |    1 +
>  policy/modules/services/puppet.fc       |   13 ++
>  policy/modules/services/puppet.if       |   31 ++++
>  policy/modules/services/puppet.te       |  241 +++++++++++++++++++++++++++++++
>  policy/modules/system/init.if           |   20 +++
>  policy/modules/system/init.te           |    4 +
>  policy/modules/system/libraries.te      |    5 +
>  10 files changed, 351 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/services/puppet.fc
>  create mode 100644 policy/modules/services/puppet.if
>  create mode 100644 policy/modules/services/puppet.te
> 
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1865872..e8c66c1 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -247,6 +247,10 @@ optional_policy(`
>  	rpm_rw_pipes(groupadd_t)
>  ')
>  
> +optional_policy(`
> +	puppet_write_puppet_tmp(groupadd_t)
> +')
> +
>  ########################################
>  #
>  # Passwd local policy
> @@ -524,3 +528,7 @@ optional_policy(`
>  	rpm_use_fds(useradd_t)
>  	rpm_rw_pipes(useradd_t)
>  ')
> +
> +optional_policy(`
> +	puppet_write_puppet_tmp(useradd_t)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index c62a95e..85a5fcf 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
>  network_port(printer, tcp,515,s0)
>  network_port(ptal, tcp,5703,s0)
>  network_port(pulseaudio, tcp,4713,s0)
> +network_port(puppet, tcp, 8140, s0)
>  network_port(pxe, udp,4011,s0)
>  network_port(pyzor, udp,24441,s0)
>  network_port(radacct, udp,1646,s0, udp,1813,s0)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 87442ec..575e6c7 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -110,7 +110,11 @@ interface(`files_pid_file',`
>  ## </param>
>  #
>  interface(`files_config_file',`
> +	gen_require(`
> +		attribute configfile;
> +	')
>  	files_type($1)
> +	typeattribute $1 configfile;
>  ')
>  
>  ########################################
> @@ -997,6 +1001,29 @@ interface(`files_manage_all_files',`
>  	files_manage_kernel_modules($1)
>  ')
>  
> +###########################################
> +## <summary>
> +## 	Manage all configuration files on filesystem 
> +## </summary>
> +## <param name="domain">
> +## 	<summary>
> +##	The type of domain performing this action
> +## 	</summary>
> +## </param>
> +##
> +#
> +interface(`files_manage_all_config_files',`
> +	gen_require(`
> +		attribute configfile;
> +	')
> +
> +	manage_dirs_pattern($1, configfile, configfile)

> +	manage_files_pattern($1, configfile, configfile)
This is the only rule that should be in this interface due to the
"files" in the interface name.

> +	manage_lnk_files_pattern($1, configfile, configfile)
> +	manage_fifo_files_pattern($1, configfile, configfile)
> +	manage_sock_files_pattern($1, configfile, configfile)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Search the contents of all directories on
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 3ae897d..e970d85 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -11,6 +11,7 @@ attribute files_unconfined_type;
>  attribute lockfile;
>  attribute mountpoint;
>  attribute pidfile;
> +attribute configfile;
>  
>  # For labeling types that are to be polyinstantiated
>  attribute polydir;
> diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
> new file mode 100644
> index 0000000..8cc04c3
> --- /dev/null
> +++ b/policy/modules/services/puppet.fc
> @@ -0,0 +1,13 @@
> +/etc/puppet(/.*)?                       gen_context(system_u:object_r:puppet_etc_t, s0)
> +
> +/etc/rc\.d/init\.d/puppet       --      gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
> +/etc/rc\.d/init\.d/puppetmaster --      gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
> +
> +/usr/sbin/puppetd               --      gen_context(system_u:object_r:puppet_exec_t, s0)
> +/usr/sbin/puppetmasterd         --      gen_context(system_u:object_r:puppetmaster_exec_t, s0)
> +
> +/var/lib/puppet(/.*)?                   gen_context(system_u:object_r:puppet_var_lib_t, s0)
> +/var/log/puppet(/.*)?                   gen_context(system_u:object_r:puppet_log_t, s0)
> +/var/run/puppet(/.*)?                   gen_context(system_u:object_r:puppet_var_run_t, s0)
> +
> +
> diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
> new file mode 100644
> index 0000000..7e0bab0
> --- /dev/null
> +++ b/policy/modules/services/puppet.if
> @@ -0,0 +1,31 @@
> +## <summary>Puppet client daemon</summary>  
> +## <desc>                                  
> +##  <p>
> +##	Puppet is a configuration management system written in Ruby.   
> +##  	The client daemon is responsible for periodically requesting the   
> +##  	desired system state from the server and ensuring the state of    
> +##  	the client system matches.                                       
> +##  </p>                                                                
> +## </desc> 
> + 
> +################################################  
> +## <summary>    
> +##      Read / Write to Puppet temp files.  Puppet uses  
> +##      some system binaries (groupadd, etc) that run in 
> +##      a non-puppet domain and redirects output into temp 
> +##      files.                                            
> +## </summary>                                            
> +## <param name="domain">                                
> +##      <summary>                                      
> +##              Domain allowed access                 
> +##      </summary>                                   
> +## </param>                                         
> +##               
> +interface(`puppet_write_puppet_tmp', `
> +        gen_require(`
> +                type puppet_tmp_t;
> +        ')
> +
> +        allow $1 puppet_tmp_t:file rw_file_perms;
> +	files_search_tmp($1)

The interface name and implementation don't match.  Either this should
be puppet_rw_tmp or the rule should be change to write_file_perms.

> +')
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> new file mode 100644
> index 0000000..97f50d0
> --- /dev/null
> +++ b/policy/modules/services/puppet.te
> @@ -0,0 +1,241 @@
> +
> +policy_module(puppet, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow Puppet client to manage all file
> +## types.
> +## </p>
> +## </desc>
> +gen_tunable(allow_puppet_manage_all_files_except_shadow, false)

puppet_manage_all_files should be a sufficient name.

> +
> +########################################
> +#
> +# Puppet personal declarations
> +#
> +
> +type puppet_t;
> +type puppet_exec_t;
> +init_daemon_domain(puppet_t, puppet_exec_t)
> +
> +type puppet_initrc_exec_t;
> +init_script_file(puppet_initrc_exec_t);
> +
> +type puppet_log_t;
> +logging_log_file(puppet_log_t)
> +
> +type puppet_var_lib_t;
> +files_type(puppet_var_lib_t)
> +
> +type puppet_var_run_t;
> +files_pid_file(puppet_var_run_t)
> +
> +type puppet_etc_t;
> +files_config_file(puppet_etc_t)
> +
> +type puppet_tmp_t;
> +files_tmp_file(puppet_tmp_t)
> +
> +########################################
> +#
> +# Pupper master personal declarations
> +#
> +
> +type puppetmaster_t;
> +type puppetmaster_exec_t;
> +init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
> +
> +type puppetmasterd_initrc_exec_t;
> +init_script_file(puppetmasterd_initrc_exec_t)
> +
> +type puppetmaster_tmp_t;
> +files_tmp_file(puppetmaster_tmp_t)
> +
> +########################################
> +#
> +# Puppet personal policy
> +#
> +
> +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
> +allow puppet_t self:fifo_file rw_fifo_file_perms;
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppet_t self:process { signal signull getsched setsched };
> +allow puppet_t self:tcp_socket create_stream_socket_perms;
> +allow puppet_t self:udp_socket create_socket_perms;
> +
> +search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> +read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
> +
> +manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
> +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> +
> +setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> +manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> +files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
> +
> +manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> +manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
> +files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
> +
> +corenet_sendrecv_puppet_client_packets(puppet_t)
> +corenet_tcp_connect_puppet_port(puppet_t)
> +
> +corenet_all_recvfrom_netlabel(puppet_t)
> +corenet_all_recvfrom_unlabeled(puppet_t)
> +
> +corenet_tcp_sendrecv_generic_if(puppet_t)
> +corenet_tcp_sendrecv_generic_node(puppet_t)
> +
> +corenet_tcp_bind_generic_node(puppet_t)
> +
> +corecmd_exec_bin(puppet_t)
> +corecmd_exec_shell(puppet_t)
> +
> +dev_read_rand(puppet_t)
> +dev_read_sysfs(puppet_t)
> +dev_read_urand(puppet_t)
> +
> +domain_read_all_domains_state(puppet_t)
> +domain_interactive_fd(puppet_t)
> +
> +files_manage_all_config_files(puppet_t)
> +files_read_etc_files(puppet_t)
> +files_search_var_lib(puppet_t)
> +
> +init_all_labeled_script_domtrans(puppet_t)
> +init_domtrans_script(puppet_t)
> +init_read_utmp(puppet_t)
> +init_signull_script(puppet_t)
> +
> +kernel_dontaudit_search_sysctl(puppet_t)
> +kernel_dontaudit_search_kernel_sysctl(puppet_t)
> +kernel_read_system_state(puppet_t)
> +kernel_read_crypto_sysctls(puppet_t)
> +
> +logging_send_syslog_msg(puppet_t)
> +
> +miscfiles_read_hwdata(puppet_t)
> +miscfiles_read_localization(puppet_t)
> +
> +selinux_search_fs(puppet_t)
> +selinux_set_all_booleans(puppet_t)
> +selinux_set_generic_booleans(puppet_t)
> +selinux_validate_context(puppet_t)
> +
> +seutil_domtrans_setfiles(puppet_t)
> +seutil_domtrans_semanage(puppet_t)                                                                                                                
> +sysnet_dns_name_resolve(puppet_t)
> +sysnet_run_ifconfig(puppet_t, system_r)
> +
> +term_dontaudit_getattr_unallocated_ttys(puppet_t)
> +term_dontaudit_getattr_all_user_ttys(puppet_t)
> +
> +tunable_policy(`allow_puppet_manage_all_files_except_shadow',`
> +	auth_manage_all_files_except_shadow(puppet_t)
> +')
> +
> +optional_policy(`
> +	consoletype_domtrans(puppet_t)
> +')
> +
> +optional_policy(`
> +	hostname_exec(puppet_t)
> +')
> +
> +optional_policy(`
> +	rpm_domtrans(puppet_t)
> +')
> +
> +optional_policy(`
> +        unconfined_domain(puppet_t)
> +')
> +
> +optional_policy(`
> +	usermanage_domtrans_groupadd(puppet_t)
> +	usermanage_domtrans_useradd(puppet_t)
> +')
> +########################################
> +#
> +# Pupper master personal policy
> +#
> +
> +allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
> +allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
> +allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
> +allow puppetmaster_t self:process { signal_perms getsched setsched };
> +allow puppetmaster_t self:socket create;
> +allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
> +allow puppetmaster_t self:udp_socket create_socket_perms;
> +
> +list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
> +
> +manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
> +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
> +
> +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
> +files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
> +
> +rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
> +
> +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
> +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
> +files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
> +
> +corenet_sendrecv_puppet_server_packets(puppetmaster_t)
> +corenet_tcp_bind_puppet_port(puppetmaster_t)
> +
> +corenet_all_recvfrom_netlabel(puppetmaster_t)
> +corenet_all_recvfrom_unlabeled(puppetmaster_t)
> +
> +corenet_tcp_sendrecv_generic_if(puppetmaster_t)
> +corenet_tcp_sendrecv_generic_node(puppetmaster_t)
> +
> +corenet_tcp_bind_generic_node(puppetmaster_t)
> +
> +corecmd_exec_bin(puppetmaster_t)
> +corecmd_exec_shell(puppetmaster_t)
> +
> +files_read_etc_files(puppetmaster_t)
> +files_search_var_lib(puppetmaster_t)
> +
> +dev_read_rand(puppetmaster_t)
> +dev_read_urand(puppetmaster_t)
> +
> +domain_read_all_domains_state(puppetmaster_t)
> +
> +kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
> +kernel_read_system_state(puppetmaster_t)
> +kernel_read_crypto_sysctls(puppetmaster_t)
> +
> +logging_send_syslog_msg(puppetmaster_t)
> +
> +miscfiles_read_localization(puppetmaster_t)
> +
> +sysnet_dns_name_resolve(puppetmaster_t)
> +sysnet_run_ifconfig(puppetmaster_t, system_r)
> +
> +optional_policy(`
> +	hostname_exec(puppetmaster_t)
> +')
> +
> +optional_policy(`
> +	files_read_usr_symlinks(puppetmaster_t)	
> +
> +	rpm_exec(puppetmaster_t)
> +	rpm_read_db(puppetmaster_t)
> +')
> +
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 7637333..aa9f136 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -720,6 +720,26 @@ interface(`init_labeled_script_domtrans',`
>  	files_search_etc($1)
>  ')
>  
> +#########################################
> +## <summary>
> +##	Transition to the init script domain
> +## 	for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## 	<summary>
> +##		Domain allowed access
> +##	</summary>
> +## </param>
> +#########################################
> +interface(`init_all_labeled_script_domtrans',`
> +	gen_require(`
> +		attribute init_script_file_type;
> +	')
> +
> +	init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +
>  ########################################
>  ## <summary>
>  ##	Start and stop daemon programs directly.
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index efe5277..6770b40 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -688,6 +688,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	puppet_write_puppet_tmp(initrc_t)
> +')
> +
> +optional_policy(`
>  	quota_manage_flags(initrc_t)
>  ')
>  
> diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
> index 0c4f4ba..8989eb3 100644
> --- a/policy/modules/system/libraries.te
> +++ b/policy/modules/system/libraries.te
> @@ -123,3 +123,8 @@ optional_policy(`
>  	# blow up.
>  	rpm_manage_script_tmp_files(ldconfig_t)
>  ')
> +
> +
> +optional_policy(`
> +	puppet_write_puppet_tmp(ldconfig_t)
> +')


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150