additional cleanup for e877913.

Changelog

@@ -19,6 +19,7 @@
 	kdump (Dan Walsh)
 	modemmanager(Dan Walsh)
 	nslcd (Dan Walsh)
+	puppet (Craig Grube)
 	rtkit (Dan Walsh)
 	seunshare (Dan Walsh)
 	shorewall (Dan Walsh)

policy/modules/admin/usermanage.te

@@ -243,12 +243,12 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rpm_use_fds(groupadd_t)
+	puppet_rw_tmp(groupadd_t)
-	rpm_rw_pipes(groupadd_t)
 ')
 
 optional_policy(`
-	puppet_rw_tmp(groupadd_t)
+	rpm_use_fds(groupadd_t)
+	rpm_rw_pipes(groupadd_t)
 ')
 
 ########################################
@@ -525,10 +525,10 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rpm_use_fds(useradd_t)
+	puppet_rw_tmp(useradd_t)
-	rpm_rw_pipes(useradd_t)
 ')
 
 optional_policy(`
-	puppet_rw_tmp(useradd_t)
+	rpm_use_fds(useradd_t)
+	rpm_rw_pipes(useradd_t)
 ')

policy/modules/kernel/files.if

@@ -1001,83 +1001,6 @@ interface(`files_manage_all_files',`
 	files_manage_kernel_modules($1)
 ')
 
-###########################################
-## <summary>
-## 	Manage all configuration files on filesystem 
-## </summary>
-## <param name="domain">
-## 	<summary>
-##	The type of domain performing this action
-## 	</summary>
-## </param>
-##
-#
-interface(`files_manage_config_files',`
-	gen_require(`
-		attribute configfile;
-	')
-
-	manage_files_pattern($1, configfile, configfile)
-')
-
-#############################################
-## <summary>
-##	Manage all configuration directories on filesystem
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of domain performing this action
-##	</summary>
-## </param>
-##
-#
-interface(`files_manage_config_dirs',`
-	gen_require(`
-		attribute configfile;
-	')
-
-	manage_dirs_pattern($1, configfile, configfile)
-')
-
-
-#######################################
-## <summary>
-##    Relabel configuration files
-## </summary>
-## <param name="domain">
-## 	<summary>
-##	Type of domain performing this action
-##	</summary>
-## </param>
-##
-#
-interface(`files_relabel_config_files',`
-	gen_require(`
-		attribute configfile;
-	')
-
-	relabel_files_pattern($1, configfile, configfile)
-')
-
-#########################################
-## <summary>
-##	Relabel configuration directories
-## </summary>
-## <param name="domain">
-## 	<summary>
-##	Type of domain performing this action
-##	</summary>
-## </param>
-##
-#
-interface(`files_relabel_config_dirs',`
-	gen_require(`
-		attribute configfile;
-	')
-
-	relabel_dirs_pattern($1, configfile, configfile)
-')
-
 ########################################
 ## <summary>
 ##	Search the contents of all directories on
@@ -1231,6 +1154,82 @@ interface(`files_unmount_all_file_type_fs',`
 	allow $1 file_type:filesystem unmount;
 ')
 
+#############################################
+## <summary>
+##	Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+##	Relabel configuration directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_dirs_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## 	Manage all configuration files on filesystem 
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	The type of domain performing this action
+## 	</summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+##    Relabel configuration files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Type of domain performing this action
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.
@@ -1994,6 +1993,25 @@ interface(`files_rw_etc_dirs',`
 	allow $1 etc_t:dir rw_dir_perms;
 ')
 
+##########################################
+## <summary>
+## 	Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	manage_dirs_pattern($1, etc_t, etc_t)
+')
+
 ########################################
 ## <summary>
 ##	Read generic files in /etc.
@@ -2074,25 +2092,6 @@ interface(`files_manage_etc_files',`
 	read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
-##########################################
-## <summary>
-## 	Manage generic directories in /etc
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-##
-#
-interface(`files_manage_etc_dirs',`
-	gen_require(`
-		type etc_t;
-	')
-
-	manage_dirs_pattern($1, etc_t, etc_t)
-')
-
 ########################################
 ## <summary>
 ##	Delete system configuration files in /etc.

policy/modules/services/puppet.fc

@@ -1,13 +1,11 @@
-/etc/puppet(/.*)?                       gen_context(system_u:object_r:puppet_etc_t, s0)
+/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
 
-/etc/rc\.d/init\.d/puppet       --      gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/puppet	--	gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/puppetmaster --      gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
-
-/usr/sbin/puppetd               --      gen_context(system_u:object_r:puppet_exec_t, s0)
-/usr/sbin/puppetmasterd         --      gen_context(system_u:object_r:puppetmaster_exec_t, s0)
-
-/var/lib/puppet(/.*)?                   gen_context(system_u:object_r:puppet_var_lib_t, s0)
-/var/log/puppet(/.*)?                   gen_context(system_u:object_r:puppet_log_t, s0)
-/var/run/puppet(/.*)?                   gen_context(system_u:object_r:puppet_var_run_t, s0)
 
+/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/lib/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)?			gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)?			gen_context(system_u:object_r:puppet_var_run_t,s0)

policy/modules/services/puppet.if

@@ -1,27 +1,26 @@
 ## <summary>Puppet client daemon</summary>
 ## <desc>
-##  <p>
+##	<p>
 ##	Puppet is a configuration management system written in Ruby.
-##  	The client daemon is responsible for periodically requesting the
+##	The client daemon is responsible for periodically requesting the
-##  	desired system state from the server and ensuring the state of
+##	desired system state from the server and ensuring the state of
-##  	the client system matches.
+##	the client system matches.
-##  </p>
+##	</p>
-## </desc> 
+## </desc>
- 
+
 ################################################
 ## <summary>
-##      Read / Write to Puppet temp files.  Puppet uses
+##	Read / Write to Puppet temp files.  Puppet uses
-##      some system binaries (groupadd, etc) that run in
+##	some system binaries (groupadd, etc) that run in
-##      a non-puppet domain and redirects output into temp
+##	a non-puppet domain and redirects output into temp
-##      files.
+##	files.
 ## </summary>
 ## <param name="domain">
-##      <summary>
+##	<summary>
-##              Domain allowed access
+##	Domain allowed access
-##      </summary>
+##	</summary>
-## </param> 
+## </param>
-##
+#
-# 
 interface(`puppet_rw_tmp', `
 	gen_require(`
 		type puppet_tmp_t;

policy/modules/services/puppet.te

@@ -1,5 +1,5 @@
 
-policy_module(puppet, 0.0.1)
+policy_module(puppet, 1.0.0)
 
 ########################################
 #
@@ -14,45 +14,34 @@ policy_module(puppet, 0.0.1)
 ## </desc>
 gen_tunable(puppet_manage_all_files, false)
 
-
-########################################
-#
-# Puppet personal declarations
-#
-
 type puppet_t;
 type puppet_exec_t;
 init_daemon_domain(puppet_t, puppet_exec_t)
 
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
 type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t);
+init_script_file(puppet_initrc_exec_t)
 
 type puppet_log_t;
 logging_log_file(puppet_log_t)
 
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
 type puppet_var_run_t;
 files_pid_file(puppet_var_run_t)
 
-type puppet_etc_t;
-files_config_file(puppet_etc_t)
-
-type puppet_tmp_t;
-files_tmp_file(puppet_tmp_t)
-
-########################################
-#
-# Pupper master personal declarations
-#
-
 type puppetmaster_t;
 type puppetmaster_exec_t;
 init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
 
-type puppetmasterd_initrc_exec_t;
+type puppetmaster_initrc_exec_t;
-init_script_file(puppetmasterd_initrc_exec_t)
+init_script_file(puppetmaster_initrc_exec_t)
 
 type puppetmaster_tmp_t;
 files_tmp_file(puppetmaster_tmp_t)
@@ -63,17 +52,17 @@ files_tmp_file(puppetmaster_tmp_t)
 #
 
 allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:process { signal signull getsched setsched };
 allow puppet_t self:fifo_file rw_fifo_file_perms;
 allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:process { signal signull getsched setsched };
 allow puppet_t self:tcp_socket create_stream_socket_perms;
 allow puppet_t self:udp_socket create_socket_perms;
 
-search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
 read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
 
-manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
 
 setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
@@ -88,20 +77,22 @@ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
 manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
 files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
 
-corenet_sendrecv_puppet_client_packets(puppet_t)
+kernel_dontaudit_search_sysctl(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
-
+kernel_read_system_state(puppet_t)
-corenet_all_recvfrom_netlabel(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
-
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_tcp_bind_generic_node(puppet_t)
 
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
+
 dev_read_rand(puppet_t)
 dev_read_sysfs(puppet_t)
 dev_read_urand(puppet_t)
@@ -116,38 +107,31 @@ files_manage_etc_files(puppet_t)
 files_read_usr_symlinks(puppet_t)
 files_relabel_config_dirs(puppet_t)
 files_relabel_config_files(puppet_t)
-files_search_default(puppet_t)
-files_search_var_lib(puppet_t)
-
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
-
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_system_state(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-
-logging_send_syslog_msg(puppet_t)
-
-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
 
 selinux_search_fs(puppet_t)
 selinux_set_all_booleans(puppet_t)
 selinux_set_generic_booleans(puppet_t)
 selinux_validate_context(puppet_t)
 
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_user_ttys(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
 seutil_domtrans_setfiles(puppet_t)
 seutil_domtrans_semanage(puppet_t)
 
 sysnet_dns_name_resolve(puppet_t)
 sysnet_run_ifconfig(puppet_t, system_r)
 
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_user_ttys(puppet_t)
-
 tunable_policy(`puppet_manage_all_files',`
 	auth_manage_all_files_except_shadow(puppet_t)
 ')
@@ -162,7 +146,6 @@ optional_policy(`
 
 optional_policy(`
 	files_rw_var_files(puppet_t)
-	files_var_lib_filetrans(puppet_t, var_lib_t, dir)
 
 	rpm_domtrans(puppet_t)
 	rpm_manage_db(puppet_t)
@@ -178,16 +161,15 @@ optional_policy(`
 	usermanage_domtrans_useradd(puppet_t)
 ')
 
-
 ########################################
 #
 # Pupper master personal policy
 #
 
 allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
-allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
 allow puppetmaster_t self:socket create;
 allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
 allow puppetmaster_t self:udp_socket create_socket_perms;
@@ -195,50 +177,43 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
 list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 
-manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 
 setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
 
-rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-
 manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
 
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-corenet_tcp_bind_puppet_port(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
-
+kernel_read_crypto_sysctls(puppetmaster_t)
-corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
-
-corenet_tcp_sendrecv_generic_if(puppetmaster_t)
-corenet_tcp_sendrecv_generic_node(puppetmaster_t)
-
-corenet_tcp_bind_generic_node(puppetmaster_t)
 
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 
-files_read_etc_files(puppetmaster_t)
+corenet_all_recvfrom_netlabel(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+corenet_tcp_bind_generic_node(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
 
 dev_read_rand(puppetmaster_t)
 dev_read_urand(puppetmaster_t)
 
 domain_read_all_domains_state(puppetmaster_t)
 
-kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+files_read_etc_files(puppetmaster_t)
-kernel_read_system_state(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
-kernel_read_crypto_sysctls(puppetmaster_t)
 
 logging_send_syslog_msg(puppetmaster_t)
 
@@ -257,4 +232,3 @@ optional_policy(`
 	rpm_exec(puppetmaster_t)
 	rpm_read_db(puppetmaster_t)
 ')
-

policy/modules/system/init.if

@@ -730,7 +730,7 @@ interface(`init_labeled_script_domtrans',`
 ##		Domain allowed access
 ##	</summary>
 ## </param>
-#########################################
+#
 interface(`init_all_labeled_script_domtrans',`
 	gen_require(`
 		attribute init_script_file_type;

policy/modules/system/libraries.te

@@ -117,13 +117,13 @@ optional_policy(`
 	apt_use_ptys(ldconfig_t)
 ')
 
+optional_policy(`
+	puppet_rw_tmp(ldconfig_t)
+')
+
 optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it. If you dont allow this kernel installs 
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
-
-optional_policy(`
-	puppet_rw_tmp(ldconfig_t)
-')