[selinux-policy] * Tue Apr 8 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-45 Rename puppet_t to puppetagent_
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 8 09:35:30 UTC 2014
commit 1aabaf6c8d0dfa5789110702b28b2f2dfb0f9fd3
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 8 11:35:12 2014 +0200
* Tue Apr 8 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-45
Rename puppet_t to puppetagent_
booleans.subs_dist | 2 +-
policy-rawhide-contrib.patch | 622 ++++++++++++++++++++++++++----------------
selinux-policy.spec | 5 +-
3 files changed, 385 insertions(+), 244 deletions(-)
---
diff --git a/booleans.subs_dist b/booleans.subs_dist
index 249f12d..d4ff62c 100644
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@@ -50,4 +50,4 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
-puppetmaster_use_db puppet_use_db
+puppet_manage_all_files puppetagent_manage_all_files
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2f410dd..b511649 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -59572,7 +59572,7 @@ index bf59ef7..0ec51d4 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 08ec33b..12f6357 100644
+index 08ec33b..24ce7e8 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@@ -59664,7 +59664,7 @@ index 08ec33b..12f6357 100644
+')
+
+optional_policy(`
-+ puppet_domtrans(passenger_t)
++ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
@@ -69391,29 +69391,37 @@ index 6643b49..1d2470f 100644
optional_policy(`
diff --git a/puppet.fc b/puppet.fc
-index d68e26d..94b9e8e 100644
+index d68e26d..f734388 100644
--- a/puppet.fc
+++ b/puppet.fc
-@@ -1,18 +1,10 @@
+@@ -1,18 +1,20 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-+/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0)
++/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0)
++#helper scripts
++/usr/bin/puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
-/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
--
++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
--
++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
-
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
@@ -69421,10 +69429,10 @@ index d68e26d..94b9e8e 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..6357588 100644
+index 7cb8b1f..9422c90 100644
--- a/puppet.if
+++ b/puppet.if
-@@ -1,4 +1,50 @@
+@@ -1,4 +1,32 @@
-## <summary>Configuration management system.</summary>
+## <summary>Puppet client daemon</summary>
+## <desc>
@@ -69436,47 +69444,29 @@ index 7cb8b1f..6357588 100644
+## </p>
+## </desc>
+
-+#######################################
-+## <summary>
-+## Execute puppet_master in the puppet_master
-+## domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`puppet_domtrans_master',`
-+ gen_require(`
-+ type puppetmaster_t, puppetmaster_exec_t;
-+ ')
-+ refpolicywarn(`$0($*) has been deprecated.')
-+')
-+
+########################################
+## <summary>
-+## Execute puppet in the puppet
-+## domain.
++## Execute puppet_master in the puppet_master
++## domain.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`puppet_domtrans',`
-+ gen_require(`
-+ type puppet_t, puppet_exec_t;
-+ ')
++interface(`puppet_domtrans_master',`
++ gen_require(`
++ type puppetmaster_t, puppetmaster_exec_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, puppet_exec_t, puppet_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
+')
########################################
## <summary>
-@@ -40,16 +86,19 @@ interface(`puppet_domtrans_puppetca',`
+@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
#
interface(`puppet_run_puppetca',`
gen_require(`
@@ -69500,7 +69490,7 @@ index 7cb8b1f..6357588 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -57,15 +106,13 @@ interface(`puppet_run_puppetca',`
+@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
## </summary>
## </param>
#
@@ -69520,7 +69510,7 @@ index 7cb8b1f..6357588 100644
')
################################################
-@@ -78,158 +125,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
## </summary>
## </param>
#
@@ -69694,15 +69684,15 @@ index 7cb8b1f..6357588 100644
-## <summary>
-## Domain allowed access.
-## </summary>
--## </param>
--## <param name="role">
--## <summary>
--## Role allowed access.
--## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
+-## </summary>
+-## </param>
-## <rolecap/>
#
-interface(`puppet_admin',`
@@ -69712,14 +69702,14 @@ index 7cb8b1f..6357588 100644
- type puppet_var_run_t, puppetmaster_tmp_t;
- type puppet_t, puppetca_t, puppetmaster_t;
- ')
+-
+- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
+- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
+interface(`puppet_manage_log',`
+ gen_require(`
+ type puppet_log_t;
+ ')
-- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
-- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
--
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
- domain_system_change_exemption($1)
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
@@ -69780,10 +69770,10 @@ index 7cb8b1f..6357588 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..ca66457 100644
+index 618dcfe..0903e67 100644
--- a/puppet.te
+++ b/puppet.te
-@@ -6,25 +6,31 @@ policy_module(puppet, 1.4.0)
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
#
## <desc>
@@ -69796,7 +69786,8 @@ index 618dcfe..ca66457 100644
+## types.
+## </p>
## </desc>
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
++gen_tunable(puppetagent_manage_all_files, false)
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
@@ -69805,25 +69796,29 @@ index 618dcfe..ca66457 100644
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
+## </p>
+## </desc>
-+gen_tunable(puppet_use_db, false)
++gen_tunable(puppetmaster_use_db, false)
- type puppet_t;
- type puppet_exec_t;
- init_daemon_domain(puppet_t, puppet_exec_t)
+-type puppet_t;
+-type puppet_exec_t;
+-init_daemon_domain(puppet_t, puppet_exec_t)
++type puppetagent_t;
++type puppetagent_exec_t;
++typealias puppetagent_exec_t alias puppet_exec_t;
++typealias puppetagent_t alias puppet_t;
++init_daemon_domain(puppetagent_t, puppetagent_exec_t)
-+typealias puppet_t alias puppetmaster_t;
-+
type puppet_etc_t;
files_config_file(puppet_etc_t)
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
-+type puppet_unit_file_t;
-+systemd_unit_file(puppet_unit_file_t)
++type puppetagent_initrc_exec_t;
++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
++init_script_file(puppetagent_initrc_exec_t)
type puppet_log_t;
logging_log_file(puppet_log_t)
-@@ -37,52 +43,37 @@ files_type(puppet_var_lib_t)
+@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
@@ -69833,18 +69828,12 @@ index 618dcfe..ca66457 100644
type puppetca_exec_t;
application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
--
--type puppetmaster_t;
--type puppetmaster_exec_t;
--init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
--
--type puppetmaster_initrc_exec_t;
--init_script_file(puppetmaster_initrc_exec_t)
--
--type puppetmaster_tmp_t;
--files_tmp_file(puppetmaster_tmp_t)
+role system_r types puppetca_t;
+ type puppetmaster_t;
+ type puppetmaster_exec_t;
+@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
+
########################################
#
-# Local policy
@@ -69852,146 +69841,254 @@ index 618dcfe..ca66457 100644
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
- allow puppet_t self:process { signal signull getsched setsched };
- allow puppet_t self:fifo_file rw_fifo_file_perms;
- allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+-allow puppet_t self:process { signal signull getsched setsched };
+-allow puppet_t self:fifo_file rw_fifo_file_perms;
+-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-+allow puppet_t self:tcp_socket create_stream_socket_perms;
- allow puppet_t self:udp_socket create_socket_perms;
-
+-allow puppet_t self:udp_socket create_socket_perms;
+-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
-
- manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-
+-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-+files_search_var_lib(puppet_t)
-
+-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
+-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
- create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
- logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
- manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-@@ -91,43 +82,38 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
- kernel_dontaudit_search_sysctl(puppet_t)
- kernel_dontaudit_search_kernel_sysctl(puppet_t)
-+kernel_read_system_state(puppet_t)
- kernel_read_crypto_sysctls(puppet_t)
- kernel_read_kernel_sysctls(puppet_t)
+-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+-
+-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+-
+-kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
+-kernel_read_crypto_sysctls(puppet_t)
+-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-+corecmd_read_all_executables(puppet_t)
-+corecmd_dontaudit_access_all_executables(puppet_t)
- corecmd_exec_bin(puppet_t)
- corecmd_exec_shell(puppet_t)
+-
+-corecmd_exec_bin(puppet_t)
+-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
- corenet_all_recvfrom_netlabel(puppet_t)
+-
+-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
- corenet_tcp_sendrecv_generic_if(puppet_t)
- corenet_tcp_sendrecv_generic_node(puppet_t)
+-corenet_tcp_sendrecv_generic_if(puppet_t)
+-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-+corenet_tcp_bind_generic_node(puppet_t)
- corenet_tcp_connect_puppet_port(puppet_t)
+-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-+corenet_sendrecv_puppet_client_packets(puppet_t)
-
- dev_read_rand(puppet_t)
- dev_read_sysfs(puppet_t)
- dev_read_urand(puppet_t)
-
+-
+-dev_read_rand(puppet_t)
+-dev_read_sysfs(puppet_t)
+-dev_read_urand(puppet_t)
+-
-domain_interactive_fd(puppet_t)
- domain_read_all_domains_state(puppet_t)
-+domain_interactive_fd(puppet_t)
-+domain_named_filetrans(puppet_t)
-
- files_manage_config_files(puppet_t)
- files_manage_config_dirs(puppet_t)
- files_manage_etc_dirs(puppet_t)
- files_manage_etc_files(puppet_t)
+-domain_read_all_domains_state(puppet_t)
+-
+-files_manage_config_files(puppet_t)
+-files_manage_config_dirs(puppet_t)
+-files_manage_etc_dirs(puppet_t)
+-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
- files_read_usr_symlinks(puppet_t)
- files_relabel_config_dirs(puppet_t)
- files_relabel_config_files(puppet_t)
+-files_read_usr_symlinks(puppet_t)
+-files_relabel_config_dirs(puppet_t)
+-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
+-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
- selinux_set_all_booleans(puppet_t)
- selinux_set_generic_booleans(puppet_t)
- selinux_validate_context(puppet_t)
-@@ -135,6 +121,8 @@ selinux_validate_context(puppet_t)
- term_dontaudit_getattr_unallocated_ttys(puppet_t)
- term_dontaudit_getattr_all_ttys(puppet_t)
-
-+auth_use_nsswitch(puppet_t)
-+
- init_all_labeled_script_domtrans(puppet_t)
- init_domtrans_script(puppet_t)
- init_read_utmp(puppet_t)
-@@ -143,18 +131,31 @@ init_signull_script(puppet_t)
- logging_send_syslog_msg(puppet_t)
-
- miscfiles_read_hwdata(puppet_t)
+-selinux_set_all_booleans(puppet_t)
+-selinux_set_generic_booleans(puppet_t)
+-selinux_validate_context(puppet_t)
+-
+-term_dontaudit_getattr_unallocated_ttys(puppet_t)
+-term_dontaudit_getattr_all_ttys(puppet_t)
+-
+-init_all_labeled_script_domtrans(puppet_t)
+-init_domtrans_script(puppet_t)
+-init_read_utmp(puppet_t)
+-init_signull_script(puppet_t)
+-
+-logging_send_syslog_msg(puppet_t)
+-
+-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
- seutil_domtrans_setfiles(puppet_t)
- seutil_domtrans_semanage(puppet_t)
-+seutil_read_file_contexts(puppet_t)
-
- sysnet_run_ifconfig(puppet_t, system_r)
+-
+-seutil_domtrans_setfiles(puppet_t)
+-seutil_domtrans_semanage(puppet_t)
+-
+-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-+
-+usermanage_access_check_groupadd(puppet_t)
-+usermanage_access_check_passwd(puppet_t)
-+usermanage_access_check_useradd(puppet_t)
-
- tunable_policy(`puppet_manage_all_files',`
+-
+-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
-+ files_manage_non_security_files(puppet_t)
-+')
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:process { signal signull getsched setsched };
++allow puppetagent_t self:fifo_file rw_fifo_file_perms;
++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
++allow puppetagent_t self:tcp_socket create_stream_socket_perms;
++allow puppetagent_t self:udp_socket create_socket_perms;
+
-+optional_policy(`
-+ tunable_policy(`puppet_use_db',`
-+ mysql_stream_connect(puppet_t)
-+ ')
-+')
++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
++
++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
++files_search_var_lib(puppetagent_t)
++
++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
++
++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
++
++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
++
++kernel_dontaudit_search_sysctl(puppetagent_t)
++kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
++kernel_read_system_state(puppetagent_t)
++kernel_read_crypto_sysctls(puppetagent_t)
++kernel_read_kernel_sysctls(puppetagent_t)
++
++corecmd_read_all_executables(puppetagent_t)
++corecmd_dontaudit_access_all_executables(puppetagent_t)
++corecmd_exec_bin(puppetagent_t)
++corecmd_exec_shell(puppetagent_t)
++
++corenet_all_recvfrom_netlabel(puppetagent_t)
++corenet_tcp_sendrecv_generic_if(puppetagent_t)
++corenet_tcp_sendrecv_generic_node(puppetagent_t)
++corenet_tcp_bind_generic_node(puppetagent_t)
++corenet_tcp_connect_puppet_port(puppetagent_t)
++corenet_sendrecv_puppet_client_packets(puppetagent_t)
++
++dev_read_rand(puppetagent_t)
++dev_read_sysfs(puppetagent_t)
++dev_read_urand(puppetagent_t)
++
++domain_read_all_domains_state(puppetagent_t)
++domain_interactive_fd(puppetagent_t)
++domain_named_filetrans(puppetagent_t)
++
++files_manage_config_files(puppetagent_t)
++files_manage_config_dirs(puppetagent_t)
++files_manage_etc_dirs(puppetagent_t)
++files_manage_etc_files(puppetagent_t)
++files_read_usr_symlinks(puppetagent_t)
++files_relabel_config_dirs(puppetagent_t)
++files_relabel_config_files(puppetagent_t)
++
++selinux_set_all_booleans(puppetagent_t)
++selinux_set_generic_booleans(puppetagent_t)
++selinux_validate_context(puppetagent_t)
++
++term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
++term_dontaudit_getattr_all_ttys(puppetagent_t)
++
++auth_use_nsswitch(puppetagent_t)
++
++init_all_labeled_script_domtrans(puppetagent_t)
++init_domtrans_script(puppetagent_t)
++init_read_utmp(puppetagent_t)
++init_signull_script(puppetagent_t)
++
++logging_send_syslog_msg(puppetagent_t)
++
++miscfiles_read_hwdata(puppetagent_t)
++
++seutil_domtrans_setfiles(puppetagent_t)
++seutil_domtrans_semanage(puppetagent_t)
++seutil_read_file_contexts(puppetagent_t)
++
++sysnet_run_ifconfig(puppetagent_t, system_r)
++
++usermanage_access_check_groupadd(puppetagent_t)
++usermanage_access_check_passwd(puppetagent_t)
++usermanage_access_check_useradd(puppetagent_t)
+
++tunable_policy(`puppetagent_manage_all_files',`
++ files_manage_non_security_files(puppetagent_t)
+ ')
+
+ optional_policy(`
+- cfengine_read_lib_files(puppet_t)
++ mysql_stream_connect(puppetagent_t)
+ ')
+
+ optional_policy(`
+- consoletype_exec(puppet_t)
++ postgresql_stream_connect(puppetagent_t)
+ ')
+
+ optional_policy(`
+- hostname_exec(puppet_t)
++ cfengine_read_lib_files(puppetagent_t)
+ ')
+
+ optional_policy(`
+- mount_domtrans(puppet_t)
++ consoletype_exec(puppetagent_t)
+ ')
+
+ optional_policy(`
+- mta_send_mail(puppet_t)
++ hostname_exec(puppetagent_t)
+ ')
+
+ optional_policy(`
+- portage_domtrans(puppet_t)
+- portage_domtrans_fetch(puppet_t)
+- portage_domtrans_gcc_config(puppet_t)
++ mount_domtrans(puppetagent_t)
+ ')
+
+ optional_policy(`
+- files_rw_var_files(puppet_t)
++ mta_send_mail(puppetagent_t)
++')
+
+- rpm_domtrans(puppet_t)
+- rpm_manage_db(puppet_t)
+- rpm_manage_log(puppet_t)
+optional_policy(`
-+ tunable_policy(`puppet_use_db',`
-+ postgresql_stream_connect(puppet_t)
-+ ')
++ portage_domtrans(puppetagent_t)
++ portage_domtrans_fetch(puppetagent_t)
++ portage_domtrans_gcc_config(puppetagent_t)
')
optional_policy(`
-@@ -196,21 +197,19 @@ optional_policy(`
+- unconfined_domain(puppet_t)
++ files_rw_var_files(puppetagent_t)
++
++ rpm_domtrans(puppetagent_t)
++ rpm_manage_db(puppetagent_t)
++ rpm_manage_log(puppetagent_t)
')
optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
-+ openshift_initrc_domtrans(puppet_t)
++ unconfined_domain_noaudit(puppetagent_t)
')
-+
########################################
#
-# Ca local policy
@@ -70008,7 +70105,7 @@ index 618dcfe..ca66457 100644
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +220,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -70016,7 +70113,7 @@ index 618dcfe..ca66457 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +229,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -70032,107 +70129,148 @@ index 618dcfe..ca66457 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,99 +243,7 @@ optional_policy(`
+@@ -246,38 +245,47 @@ optional_policy(`
hostname_exec(puppetca_t)
')
--########################################
--#
++optional_policy(`
++ mta_sendmail_access_check(puppetca_t)
++')
++
++
+ ########################################
+ #
-# Master local policy
--#
--
--allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
--allow puppetmaster_t self:process { signal_perms getsched setsched };
--allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
++# Pupper master personal policy
+ #
+
+ allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+ allow puppetmaster_t self:process { signal_perms getsched setsched };
+ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
--allow puppetmaster_t self:socket create;
++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+ allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
--
++allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
++allow puppetmaster_t self:udp_socket create_socket_perms;
+
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
--
++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
--logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
--
++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
+ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
++allow puppetmaster_t puppet_log_t:file relabel_file_perms;
+
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
--
++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
+
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
--files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
--
++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+ files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
+
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
--files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
--
--kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
--kernel_read_network_state(puppetmaster_t)
--kernel_read_system_state(puppetmaster_t)
--kernel_read_crypto_sysctls(puppetmaster_t)
--kernel_read_kernel_sysctls(puppetmaster_t)
--
--corecmd_exec_bin(puppetmaster_t)
--corecmd_exec_shell(puppetmaster_t)
--
--corenet_all_recvfrom_netlabel(puppetmaster_t)
++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
+
+ kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+ kernel_read_network_state(puppetmaster_t)
+@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
+ corecmd_exec_shell(puppetmaster_t)
+
+ corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
--corenet_tcp_sendrecv_generic_if(puppetmaster_t)
--corenet_tcp_sendrecv_generic_node(puppetmaster_t)
--corenet_tcp_bind_generic_node(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+ corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
--corenet_tcp_bind_puppet_port(puppetmaster_t)
+ corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
--
--dev_read_rand(puppetmaster_t)
--dev_read_urand(puppetmaster_t)
--dev_search_sysfs(puppetmaster_t)
--
++corenet_sendrecv_puppet_server_packets(puppetmaster_t)
++corenet_tcp_connect_ntop_port(puppetmaster_t)
++
++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
++corenet_udp_bind_generic_node(puppetmaster_t)
++corenet_udp_bind_generic_port(puppetmaster_t)
+
+ dev_read_rand(puppetmaster_t)
+ dev_read_urand(puppetmaster_t)
+ dev_search_sysfs(puppetmaster_t)
+
-domain_obj_id_change_exemption(puppetmaster_t)
--domain_read_all_domains_state(puppetmaster_t)
--
+ domain_read_all_domains_state(puppetmaster_t)
++domain_obj_id_change_exemption(puppetmaster_t)
+
-files_read_usr_files(puppetmaster_t)
--
--selinux_validate_context(puppetmaster_t)
--
--auth_use_nsswitch(puppetmaster_t)
--
--logging_send_syslog_msg(puppetmaster_t)
--
--miscfiles_read_generic_certs(puppetmaster_t)
+
+ selinux_validate_context(puppetmaster_t)
+
+@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
+ logging_send_syslog_msg(puppetmaster_t)
+
+ miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
--
--seutil_read_file_contexts(puppetmaster_t)
--
--sysnet_run_ifconfig(puppetmaster_t, system_r)
--
--optional_policy(`
+
+ seutil_read_file_contexts(puppetmaster_t)
+
+ sysnet_run_ifconfig(puppetmaster_t, system_r)
+
++mta_send_mail(puppetmaster_t)
++
+ optional_policy(`
- hostname_exec(puppetmaster_t)
--')
--
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
+ ')
+
optional_policy(`
- mta_send_mail(puppetmaster_t)
-+ mta_sendmail_access_check(puppetca_t)
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
')
--optional_policy(`
+ optional_policy(`
- mysql_stream_connect(puppetmaster_t)
--')
--
--optional_policy(`
++ systemd_dbus_chat_timedated(puppetmaster_t)
+ ')
+
+ optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
--')
--
--optional_policy(`
-- files_read_usr_symlinks(puppetmaster_t)
--
-- rpm_exec(puppetmaster_t)
-- rpm_read_db(puppetmaster_t)
--')
++ hostname_exec(puppetmaster_t)
+ ')
+
+ optional_policy(`
+@@ -342,3 +356,9 @@ optional_policy(`
+ rpm_exec(puppetmaster_t)
+ rpm_read_db(puppetmaster_t)
+ ')
++
++optional_policy(`
++ usermanage_access_check_groupadd(puppetmaster_t)
++ usermanage_access_check_passwd(puppetmaster_t)
++ usermanage_access_check_useradd(puppetmaster_t)
++')
diff --git a/pwauth.fc b/pwauth.fc
index 7e7b444..e2f8687 100644
--- a/pwauth.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c046312..0872a60 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 8 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-45
+Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
+
* Tue Apr 8 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-44
- Change hsperfdata_root to have as user_tmp_t
- Allow rsyslog low-level network access
More information about the scm-commits
mailing list