* Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45

Rename puppet_t to puppetagent_
2014-04-08 11:35:12 +02:00 · 2014-04-08 11:35:12 +02:00 · 1aabaf6c8d
commit 1aabaf6c8d
parent 2e9a8db577
3 changed files with 388 additions and 247 deletions
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@ -50,4 +50,4 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
 clamd_use_jit antivirus_use_jit
 amavis_use_jit antivirus_use_jit
 logwatch_can_sendmail logwatch_can_network_connect_mail
-puppetmaster_use_db puppet_use_db
+puppet_manage_all_files puppetagent_manage_all_files
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -59572,7 +59572,7 @@ index bf59ef7..0ec51d4 100644
 +	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
 ')
 diff --git a/passenger.te b/passenger.te
-index 08ec33b..12f6357 100644
+index 08ec33b..24ce7e8 100644
 --- a/passenger.te
 +++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@ -59664,7 +59664,7 @@ index 08ec33b..12f6357 100644
 +')
 +
 +optional_policy(`
-+	puppet_domtrans(passenger_t)
+	puppet_domtrans_master(passenger_t)
 +	puppet_manage_lib(passenger_t)
 	puppet_read_config(passenger_t)
 -	puppet_append_log_files(passenger_t)
@ -69391,29 +69391,37 @@ index 6643b49..1d2470f 100644
 optional_policy(`
 diff --git a/puppet.fc b/puppet.fc
-index d68e26d..94b9e8e 100644
+index d68e26d..f734388 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,18 +1,10 @@
+@@ -1,18 +1,20 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppet(/.*)?			        gen_context(system_u:object_r:puppet_etc_t,s0)
 -/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-+/usr/lib/systemd/system/puppetmaster.*      --      gen_context(system_u:object_r:puppet_unit_file_t,s0)
+/etc/rc\.d/init\.d/puppet	    --	gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 -/usr/bin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
 -/usr/bin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 -/usr/bin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/bin/puppetca	            --	gen_context(system_u:object_r:puppetca_exec_t,s0)
+#helper scripts
-+/usr/bin/start-puppet-master    --      gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/bin/puppet-agent       --  gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/bin/puppet-master      --  gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 -/usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
 -/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 -/usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-
+/usr/bin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
 +/usr/bin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/bin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 -/var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
-
+/usr/sbin/puppetca	        --	gen_context(system_u:object_r:puppetca_exec_t,s0)
 +/usr/sbin/puppetd	        --	gen_context(system_u:object_r:puppetagent_exec_t,s0)
 +/usr/sbin/puppetmasterd	    --	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 -/var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
 -
 -/var/run/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_run_t,s0)
@ -69421,10 +69429,10 @@ index d68e26d..94b9e8e 100644
 +/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
 +/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)
 diff --git a/puppet.if b/puppet.if
-index 7cb8b1f..6357588 100644
+index 7cb8b1f..9422c90 100644
 --- a/puppet.if
 +++ b/puppet.if
-@@ -1,4 +1,50 @@
+@@ -1,4 +1,32 @@
 -## <summary>Configuration management system.</summary>
 +## <summary>Puppet client daemon</summary>
 +## <desc>
@ -69436,7 +69444,7 @@ index 7cb8b1f..6357588 100644
 +##	</p>
 +## </desc>
 +
-+#######################################
+########################################
 +## <summary>
 +##	Execute puppet_master in the puppet_master
 +##	domain.
@ -69451,32 +69459,14 @@ index 7cb8b1f..6357588 100644
 +	gen_require(`
 +		type puppetmaster_t, puppetmaster_exec_t;
 +	')
 +        refpolicywarn(`$0($*) has been deprecated.')
 +')
 +
 +########################################
 +## <summary>
 +##    Execute puppet in the puppet
 +##    domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##    Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`puppet_domtrans',`
 +    gen_require(`
 +        type puppet_t, puppet_exec_t;
 +    ')
 +
 +	corecmd_search_bin($1)
-+     domtrans_pattern($1, puppet_exec_t, puppet_t)
+	domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
 +')
 ########################################
 ## <summary>
-@@ -40,16 +86,19 @@ interface(`puppet_domtrans_puppetca',`
+@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
 #
 interface(`puppet_run_puppetca',`
 	gen_require(`
@ -69500,7 +69490,7 @@ index 7cb8b1f..6357588 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -57,15 +106,13 @@ interface(`puppet_run_puppetca',`
+@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
 ##	</summary>
 ## </param>
 #
@ -69520,7 +69510,7 @@ index 7cb8b1f..6357588 100644
 ')
 ################################################
-@@ -78,158 +125,164 @@ interface(`puppet_read_config',`
+@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
 ##	</summary>
 ## </param>
 #
@ -69694,15 +69684,15 @@ index 7cb8b1f..6357588 100644
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
 ## </param>
 -## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
 -## </param>
 -## <rolecap/>
 #
 -interface(`puppet_admin',`
@ -69712,14 +69702,14 @@ index 7cb8b1f..6357588 100644
 -		type puppet_var_run_t, puppetmaster_tmp_t;
 -		type puppet_t, puppetca_t, puppetmaster_t;
 -	')
 -
 -	allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
 +interface(`puppet_manage_log',`
 +    gen_require(`
 +        type puppet_log_t;
 +    ')
 -	allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
 -
 -	init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
 -	domain_system_change_exemption($1)
 -	role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
@ -69780,10 +69770,10 @@ index 7cb8b1f..6357588 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
 ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..ca66457 100644
+index 618dcfe..0903e67 100644
 --- a/puppet.te
 +++ b/puppet.te
-@@ -6,25 +6,31 @@ policy_module(puppet, 1.4.0)
+@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
 #
 ## <desc>
@ -69796,7 +69786,8 @@ index 618dcfe..ca66457 100644
 +## types.
 +## </p>
 ## </desc>
- gen_tunable(puppet_manage_all_files, false)
+-gen_tunable(puppet_manage_all_files, false)
 +gen_tunable(puppetagent_manage_all_files, false)
 -attribute_role puppetca_roles;
 -roleattribute system_r puppetca_roles;
@ -69805,25 +69796,29 @@ index 618dcfe..ca66457 100644
 +## Allow Puppet master to use connect to MySQL and PostgreSQL database
 +## </p>
 +## </desc>
-+gen_tunable(puppet_use_db, false)
+gen_tunable(puppetmaster_use_db, false)
- type puppet_t;
+-type puppet_t;
- type puppet_exec_t;
+-type puppet_exec_t;
- init_daemon_domain(puppet_t, puppet_exec_t)
+-init_daemon_domain(puppet_t, puppet_exec_t)
 +type puppetagent_t;
 +type puppetagent_exec_t;
 +typealias puppetagent_exec_t alias puppet_exec_t;
 +typealias puppetagent_t alias puppet_t;
 +init_daemon_domain(puppetagent_t, puppetagent_exec_t)
 +typealias puppet_t alias puppetmaster_t;
 +
 type puppet_etc_t;
 files_config_file(puppet_etc_t)
 -type puppet_initrc_exec_t;
 -init_script_file(puppet_initrc_exec_t)
-+type puppet_unit_file_t;
+type puppetagent_initrc_exec_t;
-+systemd_unit_file(puppet_unit_file_t)
+typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t;
 +init_script_file(puppetagent_initrc_exec_t)
 type puppet_log_t;
 logging_log_file(puppet_log_t)
-@@ -37,52 +43,37 @@ files_type(puppet_var_lib_t)
+@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t)
 type puppet_var_run_t;
 files_pid_file(puppet_var_run_t)
@ -69833,18 +69828,12 @@ index 618dcfe..ca66457 100644
 type puppetca_exec_t;
 application_domain(puppetca_t, puppetca_exec_t)
 -role puppetca_roles types puppetca_t;
 -
 -type puppetmaster_t;
 -type puppetmaster_exec_t;
 -init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
 -
 -type puppetmaster_initrc_exec_t;
 -init_script_file(puppetmaster_initrc_exec_t)
 -
 -type puppetmaster_tmp_t;
 -files_tmp_file(puppetmaster_tmp_t)
 +role system_r types puppetca_t;
 type puppetmaster_t;
 type puppetmaster_exec_t;
@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
 ########################################
 #
 -# Local policy
@ -69852,146 +69841,254 @@ index 618dcfe..ca66457 100644
 #
 -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+-allow puppet_t self:process { signal signull getsched setsched };
- allow puppet_t self:process { signal signull getsched setsched };
+-allow puppet_t self:fifo_file rw_fifo_file_perms;
- allow puppet_t self:fifo_file rw_fifo_file_perms;
+-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
 -allow puppet_t self:tcp_socket { accept listen };
-+allow puppet_t self:tcp_socket create_stream_socket_perms;
+-allow puppet_t self:udp_socket create_socket_perms;
- allow puppet_t self:udp_socket create_socket_perms;
+-
 -allow puppet_t puppet_etc_t:dir list_dir_perms;
 -allow puppet_t puppet_etc_t:file read_file_perms;
 -allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+-
- 
+-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
- manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 -can_exec(puppet_t, puppet_var_lib_t)
-+files_search_var_lib(puppet_t)
+-
 -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
- manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
- files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+-
 -allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
 -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 -read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 -setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
- logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+-
- 
+-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
- manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-@@ -91,43 +82,38 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
- 
+-
- kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_sysctl(puppet_t)
- kernel_dontaudit_search_kernel_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-+kernel_read_system_state(puppet_t)
+-kernel_read_crypto_sysctls(puppet_t)
- kernel_read_crypto_sysctls(puppet_t)
+-kernel_read_kernel_sysctls(puppet_t)
 kernel_read_kernel_sysctls(puppet_t)
 -kernel_read_net_sysctls(puppet_t)
 -kernel_read_network_state(puppet_t)
- 
+-
-+corecmd_read_all_executables(puppet_t)
+-corecmd_exec_bin(puppet_t)
-+corecmd_dontaudit_access_all_executables(puppet_t)
+-corecmd_exec_shell(puppet_t)
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 -corecmd_read_all_executables(puppet_t)
- 
+-
- corenet_all_recvfrom_netlabel(puppet_t)
+-corenet_all_recvfrom_netlabel(puppet_t)
 -corenet_all_recvfrom_unlabeled(puppet_t)
- corenet_tcp_sendrecv_generic_if(puppet_t)
+-corenet_tcp_sendrecv_generic_if(puppet_t)
- corenet_tcp_sendrecv_generic_node(puppet_t)
+-corenet_tcp_sendrecv_generic_node(puppet_t)
 -
 -corenet_sendrecv_puppet_client_packets(puppet_t)
-+corenet_tcp_bind_generic_node(puppet_t)
+-corenet_tcp_connect_puppet_port(puppet_t)
 corenet_tcp_connect_puppet_port(puppet_t)
 -corenet_tcp_sendrecv_puppet_port(puppet_t)
-+corenet_sendrecv_puppet_client_packets(puppet_t)
+-
- 
+-dev_read_rand(puppet_t)
- dev_read_rand(puppet_t)
+-dev_read_sysfs(puppet_t)
- dev_read_sysfs(puppet_t)
+-dev_read_urand(puppet_t)
- dev_read_urand(puppet_t)
+-
 -domain_interactive_fd(puppet_t)
- domain_read_all_domains_state(puppet_t)
+-domain_read_all_domains_state(puppet_t)
-+domain_interactive_fd(puppet_t)
+-
-+domain_named_filetrans(puppet_t)
+-files_manage_config_files(puppet_t)
- 
+-files_manage_config_dirs(puppet_t)
- files_manage_config_files(puppet_t)
+-files_manage_etc_dirs(puppet_t)
- files_manage_config_dirs(puppet_t)
+-files_manage_etc_files(puppet_t)
 files_manage_etc_dirs(puppet_t)
 files_manage_etc_files(puppet_t)
 -files_read_usr_files(puppet_t)
- files_read_usr_symlinks(puppet_t)
+-files_read_usr_symlinks(puppet_t)
- files_relabel_config_dirs(puppet_t)
+-files_relabel_config_dirs(puppet_t)
- files_relabel_config_files(puppet_t)
+-files_relabel_config_files(puppet_t)
 -files_search_var_lib(puppet_t)
- 
+-
 -selinux_get_fs_mount(puppet_t)
 -selinux_search_fs(puppet_t)
- selinux_set_all_booleans(puppet_t)
+-selinux_set_all_booleans(puppet_t)
- selinux_set_generic_booleans(puppet_t)
+-selinux_set_generic_booleans(puppet_t)
- selinux_validate_context(puppet_t)
+-selinux_validate_context(puppet_t)
-@@ -135,6 +121,8 @@ selinux_validate_context(puppet_t)
+-
- term_dontaudit_getattr_unallocated_ttys(puppet_t)
+-term_dontaudit_getattr_unallocated_ttys(puppet_t)
- term_dontaudit_getattr_all_ttys(puppet_t)
+-term_dontaudit_getattr_all_ttys(puppet_t)
- 
+-
-+auth_use_nsswitch(puppet_t)
+-init_all_labeled_script_domtrans(puppet_t)
-+
+-init_domtrans_script(puppet_t)
- init_all_labeled_script_domtrans(puppet_t)
+-init_read_utmp(puppet_t)
- init_domtrans_script(puppet_t)
+-init_signull_script(puppet_t)
- init_read_utmp(puppet_t)
+-
-@@ -143,18 +131,31 @@ init_signull_script(puppet_t)
+-logging_send_syslog_msg(puppet_t)
- logging_send_syslog_msg(puppet_t)
+-
- 
+-miscfiles_read_hwdata(puppet_t)
 miscfiles_read_hwdata(puppet_t)
 -miscfiles_read_localization(puppet_t)
 -
 -mount_domtrans(puppet_t)
- 
+-
- seutil_domtrans_setfiles(puppet_t)
+-seutil_domtrans_setfiles(puppet_t)
- seutil_domtrans_semanage(puppet_t)
+-seutil_domtrans_semanage(puppet_t)
-+seutil_read_file_contexts(puppet_t)
+-
- 
+-sysnet_run_ifconfig(puppet_t, system_r)
 sysnet_run_ifconfig(puppet_t, system_r)
 -sysnet_use_ldap(puppet_t)
-+
+-
-+usermanage_access_check_groupadd(puppet_t)
+-tunable_policy(`puppet_manage_all_files',`
 +usermanage_access_check_passwd(puppet_t)
 +usermanage_access_check_useradd(puppet_t)
 tunable_policy(`puppet_manage_all_files',`
 -	files_manage_non_auth_files(puppet_t)
-+	files_manage_non_security_files(puppet_t)
+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
-+')
+allow puppetagent_t self:process { signal signull getsched setsched };
 +allow puppetagent_t self:fifo_file rw_fifo_file_perms;
 +allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
 +allow puppetagent_t self:tcp_socket create_stream_socket_perms;
 +allow puppetagent_t self:udp_socket create_socket_perms;
 +
-+optional_policy(`
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
 +	tunable_policy(`puppet_use_db',`
 +		mysql_stream_connect(puppet_t)
 +	')
 +')
 +
-+optional_policy(`
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
-+	tunable_policy(`puppet_use_db',`
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
-+		postgresql_stream_connect(puppet_t)
+files_search_var_lib(puppetagent_t)
-+	')
+
 +manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
 +manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t)
 +files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir })
 +
 +create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t)
 +create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
 +append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t)
 +logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir })
 +
 +manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
 +manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t)
 +files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir })
 +
 +kernel_dontaudit_search_sysctl(puppetagent_t)
 +kernel_dontaudit_search_kernel_sysctl(puppetagent_t)
 +kernel_read_system_state(puppetagent_t)
 +kernel_read_crypto_sysctls(puppetagent_t)
 +kernel_read_kernel_sysctls(puppetagent_t)
 +
 +corecmd_read_all_executables(puppetagent_t)
 +corecmd_dontaudit_access_all_executables(puppetagent_t)
 +corecmd_exec_bin(puppetagent_t)
 +corecmd_exec_shell(puppetagent_t)
 +
 +corenet_all_recvfrom_netlabel(puppetagent_t)
 +corenet_tcp_sendrecv_generic_if(puppetagent_t)
 +corenet_tcp_sendrecv_generic_node(puppetagent_t)
 +corenet_tcp_bind_generic_node(puppetagent_t)
 +corenet_tcp_connect_puppet_port(puppetagent_t)
 +corenet_sendrecv_puppet_client_packets(puppetagent_t)
 +
 +dev_read_rand(puppetagent_t)
 +dev_read_sysfs(puppetagent_t)
 +dev_read_urand(puppetagent_t)
 +
 +domain_read_all_domains_state(puppetagent_t)
 +domain_interactive_fd(puppetagent_t)
 +domain_named_filetrans(puppetagent_t)
 +
 +files_manage_config_files(puppetagent_t)
 +files_manage_config_dirs(puppetagent_t)
 +files_manage_etc_dirs(puppetagent_t)
 +files_manage_etc_files(puppetagent_t)
 +files_read_usr_symlinks(puppetagent_t)
 +files_relabel_config_dirs(puppetagent_t)
 +files_relabel_config_files(puppetagent_t)
 +
 +selinux_set_all_booleans(puppetagent_t)
 +selinux_set_generic_booleans(puppetagent_t)
 +selinux_validate_context(puppetagent_t)
 +
 +term_dontaudit_getattr_unallocated_ttys(puppetagent_t)
 +term_dontaudit_getattr_all_ttys(puppetagent_t)
 +
 +auth_use_nsswitch(puppetagent_t)
 +
 +init_all_labeled_script_domtrans(puppetagent_t)
 +init_domtrans_script(puppetagent_t)
 +init_read_utmp(puppetagent_t)
 +init_signull_script(puppetagent_t)
 +
 +logging_send_syslog_msg(puppetagent_t)
 +
 +miscfiles_read_hwdata(puppetagent_t)
 +
 +seutil_domtrans_setfiles(puppetagent_t)
 +seutil_domtrans_semanage(puppetagent_t)
 +seutil_read_file_contexts(puppetagent_t)
 +
 +sysnet_run_ifconfig(puppetagent_t, system_r)
 +
 +usermanage_access_check_groupadd(puppetagent_t)
 +usermanage_access_check_passwd(puppetagent_t)
 +usermanage_access_check_useradd(puppetagent_t)
 +
 +tunable_policy(`puppetagent_manage_all_files',`
 +	files_manage_non_security_files(puppetagent_t)
 ')
 optional_policy(`
-@@ -196,21 +197,19 @@ optional_policy(`
+-	cfengine_read_lib_files(puppet_t)
 +    mysql_stream_connect(puppetagent_t)
 ')
 optional_policy(`
 -	consoletype_exec(puppet_t)
 +    postgresql_stream_connect(puppetagent_t)
 ')
 optional_policy(`
 -	hostname_exec(puppet_t)
 +	cfengine_read_lib_files(puppetagent_t)
 ')
 optional_policy(`
 -	mount_domtrans(puppet_t)
 +	consoletype_exec(puppetagent_t)
 ')
 optional_policy(`
 -	mta_send_mail(puppet_t)
 +	hostname_exec(puppetagent_t)
 ')
 optional_policy(`
 -	portage_domtrans(puppet_t)
 -	portage_domtrans_fetch(puppet_t)
 -	portage_domtrans_gcc_config(puppet_t)
 +	mount_domtrans(puppetagent_t)
 ')
 optional_policy(`
 -	files_rw_var_files(puppet_t)
 +	mta_send_mail(puppetagent_t)
 +')
 -	rpm_domtrans(puppet_t)
 -	rpm_manage_db(puppet_t)
 -	rpm_manage_log(puppet_t)
 +optional_policy(`
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
 ')
 optional_policy(`
 -	unconfined_domain(puppet_t)
 +	files_rw_var_files(puppetagent_t)
 +
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
 ')
 optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
-+	openshift_initrc_domtrans(puppet_t)
+    unconfined_domain_noaudit(puppetagent_t)
 ')
 +
 ########################################
 #
 -# Ca local policy
@ -70008,7 +70105,7 @@ index 618dcfe..ca66457 100644
 allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
 manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +220,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
 allow puppetca_t puppet_var_run_t:dir search_dir_perms;
 kernel_read_system_state(puppetca_t)
@ -70016,7 +70113,7 @@ index 618dcfe..ca66457 100644
 kernel_read_kernel_sysctls(puppetca_t)
 corecmd_exec_bin(puppetca_t)
-@@ -229,15 +229,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
 dev_read_urand(puppetca_t)
 dev_search_sysfs(puppetca_t)
@ -70032,107 +70129,148 @@ index 618dcfe..ca66457 100644
 miscfiles_read_generic_certs(puppetca_t)
 seutil_read_file_contexts(puppetca_t)
-@@ -246,99 +243,7 @@ optional_policy(`
+@@ -246,38 +245,47 @@ optional_policy(`
 	hostname_exec(puppetca_t)
 ')
-########################################
+optional_policy(`
-#
+	mta_sendmail_access_check(puppetca_t)
 +')
 +
 +
 ########################################
 #
 -# Master local policy
-#
+# Pupper master personal policy
-
+ #
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+ 
-allow puppetmaster_t self:process { signal_perms getsched setsched };
+ allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+ allow puppetmaster_t self:process { signal_perms getsched setsched };
 allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
 -allow puppetmaster_t self:netlink_route_socket nlmsg_write;
-allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:socket create;
 -allow puppetmaster_t self:tcp_socket { accept listen };
-
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
 +allow puppetmaster_t self:udp_socket create_socket_perms;
 -allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
 -allow puppetmaster_t puppet_etc_t:file read_file_perms;
 -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 +read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
-
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 +allow puppetmaster_t puppet_log_t:file relabel_file_perms;
 -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
 -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
-
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
 +allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
 -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
 -allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
-files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
-
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
 +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
 -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
-files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
-
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
-kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+ files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-kernel_read_network_state(puppetmaster_t)
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
-kernel_read_system_state(puppetmaster_t)
+ 
-kernel_read_crypto_sysctls(puppetmaster_t)
+ kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-kernel_read_kernel_sysctls(puppetmaster_t)
+ kernel_read_network_state(puppetmaster_t)
-
+@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
-corecmd_exec_bin(puppetmaster_t)
+ corecmd_exec_shell(puppetmaster_t)
-corecmd_exec_shell(puppetmaster_t)
+ 
-
+ corenet_all_recvfrom_netlabel(puppetmaster_t)
 -corenet_all_recvfrom_netlabel(puppetmaster_t)
 -corenet_all_recvfrom_unlabeled(puppetmaster_t)
-corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_if(puppetmaster_t)
-corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
-corenet_tcp_bind_generic_node(puppetmaster_t)
+ corenet_tcp_bind_generic_node(puppetmaster_t)
 -
 -corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-corenet_tcp_bind_puppet_port(puppetmaster_t)
+ corenet_tcp_bind_puppet_port(puppetmaster_t)
 -corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
-
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-dev_read_rand(puppetmaster_t)
+corenet_tcp_connect_ntop_port(puppetmaster_t)
-dev_read_urand(puppetmaster_t)
+
-dev_search_sysfs(puppetmaster_t)
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
-
+corenet_udp_bind_generic_node(puppetmaster_t)
 +corenet_udp_bind_generic_port(puppetmaster_t)
 dev_read_rand(puppetmaster_t)
 dev_read_urand(puppetmaster_t)
 dev_search_sysfs(puppetmaster_t)
 -domain_obj_id_change_exemption(puppetmaster_t)
-domain_read_all_domains_state(puppetmaster_t)
+ domain_read_all_domains_state(puppetmaster_t)
-
+domain_obj_id_change_exemption(puppetmaster_t)
 -files_read_usr_files(puppetmaster_t)
-
+ 
-selinux_validate_context(puppetmaster_t)
+ selinux_validate_context(puppetmaster_t)
-
+ 
-auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
-
+ logging_send_syslog_msg(puppetmaster_t)
-logging_send_syslog_msg(puppetmaster_t)
+ 
-
+ miscfiles_read_generic_certs(puppetmaster_t)
 -miscfiles_read_generic_certs(puppetmaster_t)
 -miscfiles_read_localization(puppetmaster_t)
-
+ 
-seutil_read_file_contexts(puppetmaster_t)
+ seutil_read_file_contexts(puppetmaster_t)
-
+ 
-sysnet_run_ifconfig(puppetmaster_t, system_r)
+ sysnet_run_ifconfig(puppetmaster_t, system_r)
-
+ 
-optional_policy(`
+mta_send_mail(puppetmaster_t)
-	hostname_exec(puppetmaster_t)
+
 -')
 -
 optional_policy(`
-	mta_send_mail(puppetmaster_t)
+-	hostname_exec(puppetmaster_t)
-+	mta_sendmail_access_check(puppetca_t)
+	tunable_policy(`puppetmaster_use_db',`
 +		mysql_stream_connect(puppetmaster_t)
 +	')
 ')
-optional_policy(`
+ optional_policy(`
 -	mta_send_mail(puppetmaster_t)
 +	tunable_policy(`puppetmaster_use_db',`
 +		postgresql_stream_connect(puppetmaster_t)
 +	')
 ')
 optional_policy(`
 -	mysql_stream_connect(puppetmaster_t)
-')
+	systemd_dbus_chat_timedated(puppetmaster_t)
-
+ ')
-optional_policy(`
+ 
 optional_policy(`
 -	postgresql_stream_connect(puppetmaster_t)
-')
+	hostname_exec(puppetmaster_t)
-
+ ')
-optional_policy(`
+ 
-	files_read_usr_symlinks(puppetmaster_t)
+ optional_policy(`
-
+@@ -342,3 +356,9 @@ optional_policy(`
-	rpm_exec(puppetmaster_t)
+ 	rpm_exec(puppetmaster_t)
-	rpm_read_db(puppetmaster_t)
+ 	rpm_read_db(puppetmaster_t)
-')
+ ')
 +
 +optional_policy(`
 +	usermanage_access_check_groupadd(puppetmaster_t)
 +	usermanage_access_check_passwd(puppetmaster_t)
 +	usermanage_access_check_useradd(puppetmaster_t)
 +')
 diff --git a/pwauth.fc b/pwauth.fc
 index 7e7b444..e2f8687 100644
 --- a/pwauth.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 44%{?dist}
+Release: 45%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -588,6 +588,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-45
 Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t.
 * Tue Apr 8 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-44
 - Change hsperfdata_root to have as user_tmp_t
 - Allow rsyslog low-level network access