From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 31 Dec 2012 23:52:23 +0100 Subject: [refpolicy] [PATCH 04/12] Changes to puppet domain In-Reply-To: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be> References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1356994351-29191-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The provided changes are needed for a puppet (client) to properly start up and/or get its facts straight (= information on the current system state). Signed-off-by: Sven Vermeulen --- puppet.te | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/puppet.te b/puppet.te index 1113f10..f3f1c1f 100644 --- a/puppet.te +++ b/puppet.te @@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t) # Local policy # -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket nlmsg_write; allow puppet_t self:tcp_socket { accept listen }; +allow puppet_t self:udp_socket create_socket_perms; allow puppet_t puppet_etc_t:dir list_dir_perms; allow puppet_t puppet_etc_t:file read_file_perms; @@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) @@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t) kernel_read_system_state(puppet_t) kernel_read_crypto_sysctls(puppet_t) kernel_read_kernel_sysctls(puppet_t) +kernel_read_net_sysctls(puppet_t) +kernel_read_network_state(puppet_t) corecmd_exec_bin(puppet_t) corecmd_exec_shell(puppet_t) @@ -119,6 +123,7 @@ files_read_usr_files(puppet_t) files_read_usr_symlinks(puppet_t) files_relabel_config_dirs(puppet_t) files_relabel_config_files(puppet_t) +files_search_var_lib(puppet_t) selinux_search_fs(puppet_t) selinux_set_all_booleans(puppet_t) @@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t) seutil_domtrans_semanage(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) +sysnet_use_ldap(puppet_t) tunable_policy(`puppet_manage_all_files',` files_manage_non_auth_files(puppet_t) -- 1.7.8.6