From: dominick.grift@gmail.com (grift) Date: Tue, 01 Jan 2013 11:39:13 +0100 Subject: [refpolicy] [PATCH 04/12] Changes to puppet domain In-Reply-To: <1356994351-29191-5-git-send-email-sven.vermeulen@siphos.be> References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be> <1356994351-29191-5-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1357036753.2088.7.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote: > The provided changes are needed for a puppet (client) to properly start up > and/or get its facts straight (= information on the current system state). > This was merged, thanks > Signed-off-by: Sven Vermeulen > --- > puppet.te | 8 +++++++- > 1 files changed, 7 insertions(+), 1 deletions(-) > > diff --git a/puppet.te b/puppet.te > index 1113f10..f3f1c1f 100644 > --- a/puppet.te > +++ b/puppet.te > @@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t) > # Local policy > # > > -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; > +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; > allow puppet_t self:process { signal signull getsched setsched }; > allow puppet_t self:fifo_file rw_fifo_file_perms; > allow puppet_t self:netlink_route_socket nlmsg_write; > allow puppet_t self:tcp_socket { accept listen }; > +allow puppet_t self:udp_socket create_socket_perms; > > allow puppet_t puppet_etc_t:dir list_dir_perms; > allow puppet_t puppet_etc_t:file read_file_perms; > @@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) > allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; > append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) > create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) > +read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) > setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) > logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) > > @@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t) > kernel_read_system_state(puppet_t) > kernel_read_crypto_sysctls(puppet_t) > kernel_read_kernel_sysctls(puppet_t) > +kernel_read_net_sysctls(puppet_t) > +kernel_read_network_state(puppet_t) > > corecmd_exec_bin(puppet_t) > corecmd_exec_shell(puppet_t) > @@ -119,6 +123,7 @@ files_read_usr_files(puppet_t) > files_read_usr_symlinks(puppet_t) > files_relabel_config_dirs(puppet_t) > files_relabel_config_files(puppet_t) > +files_search_var_lib(puppet_t) > > selinux_search_fs(puppet_t) > selinux_set_all_booleans(puppet_t) > @@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t) > seutil_domtrans_semanage(puppet_t) > > sysnet_run_ifconfig(puppet_t, system_r) > +sysnet_use_ldap(puppet_t) > > tunable_policy(`puppet_manage_all_files',` > files_manage_non_auth_files(puppet_t)