additional cleanup for e877913
.
This commit is contained in:
parent
e8779130bf
commit
e6d8fd1e50
|
@ -19,6 +19,7 @@
|
||||||
kdump (Dan Walsh)
|
kdump (Dan Walsh)
|
||||||
modemmanager(Dan Walsh)
|
modemmanager(Dan Walsh)
|
||||||
nslcd (Dan Walsh)
|
nslcd (Dan Walsh)
|
||||||
|
puppet (Craig Grube)
|
||||||
rtkit (Dan Walsh)
|
rtkit (Dan Walsh)
|
||||||
seunshare (Dan Walsh)
|
seunshare (Dan Walsh)
|
||||||
shorewall (Dan Walsh)
|
shorewall (Dan Walsh)
|
||||||
|
|
|
@ -243,12 +243,12 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_use_fds(groupadd_t)
|
puppet_rw_tmp(groupadd_t)
|
||||||
rpm_rw_pipes(groupadd_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
puppet_rw_tmp(groupadd_t)
|
rpm_use_fds(groupadd_t)
|
||||||
|
rpm_rw_pipes(groupadd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -525,10 +525,10 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
rpm_use_fds(useradd_t)
|
puppet_rw_tmp(useradd_t)
|
||||||
rpm_rw_pipes(useradd_t)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
puppet_rw_tmp(useradd_t)
|
rpm_use_fds(useradd_t)
|
||||||
|
rpm_rw_pipes(useradd_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -1001,83 +1001,6 @@ interface(`files_manage_all_files',`
|
||||||
files_manage_kernel_modules($1)
|
files_manage_kernel_modules($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
###########################################
|
|
||||||
## <summary>
|
|
||||||
## Manage all configuration files on filesystem
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## The type of domain performing this action
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
##
|
|
||||||
#
|
|
||||||
interface(`files_manage_config_files',`
|
|
||||||
gen_require(`
|
|
||||||
attribute configfile;
|
|
||||||
')
|
|
||||||
|
|
||||||
manage_files_pattern($1, configfile, configfile)
|
|
||||||
')
|
|
||||||
|
|
||||||
#############################################
|
|
||||||
## <summary>
|
|
||||||
## Manage all configuration directories on filesystem
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## The type of domain performing this action
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
##
|
|
||||||
#
|
|
||||||
interface(`files_manage_config_dirs',`
|
|
||||||
gen_require(`
|
|
||||||
attribute configfile;
|
|
||||||
')
|
|
||||||
|
|
||||||
manage_dirs_pattern($1, configfile, configfile)
|
|
||||||
')
|
|
||||||
|
|
||||||
|
|
||||||
#######################################
|
|
||||||
## <summary>
|
|
||||||
## Relabel configuration files
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Type of domain performing this action
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
##
|
|
||||||
#
|
|
||||||
interface(`files_relabel_config_files',`
|
|
||||||
gen_require(`
|
|
||||||
attribute configfile;
|
|
||||||
')
|
|
||||||
|
|
||||||
relabel_files_pattern($1, configfile, configfile)
|
|
||||||
')
|
|
||||||
|
|
||||||
#########################################
|
|
||||||
## <summary>
|
|
||||||
## Relabel configuration directories
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Type of domain performing this action
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
##
|
|
||||||
#
|
|
||||||
interface(`files_relabel_config_dirs',`
|
|
||||||
gen_require(`
|
|
||||||
attribute configfile;
|
|
||||||
')
|
|
||||||
|
|
||||||
relabel_dirs_pattern($1, configfile, configfile)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search the contents of all directories on
|
## Search the contents of all directories on
|
||||||
|
@ -1231,6 +1154,82 @@ interface(`files_unmount_all_file_type_fs',`
|
||||||
allow $1 file_type:filesystem unmount;
|
allow $1 file_type:filesystem unmount;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#############################################
|
||||||
|
## <summary>
|
||||||
|
## Manage all configuration directories on filesystem
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
#########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel configuration directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_relabel_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
relabel_dirs_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
###########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage all configuration files on filesystem
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## The type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel configuration files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Type of domain performing this action
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_relabel_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
relabel_files_pattern($1, configfile, configfile)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a filesystem on all mount points.
|
## Mount a filesystem on all mount points.
|
||||||
|
@ -1994,6 +1993,25 @@ interface(`files_rw_etc_dirs',`
|
||||||
allow $1 etc_t:dir rw_dir_perms;
|
allow $1 etc_t:dir rw_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
##########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage generic directories in /etc
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_manage_etc_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
type etc_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, etc_t, etc_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read generic files in /etc.
|
## Read generic files in /etc.
|
||||||
|
@ -2074,25 +2092,6 @@ interface(`files_manage_etc_files',`
|
||||||
read_lnk_files_pattern($1, etc_t, etc_t)
|
read_lnk_files_pattern($1, etc_t, etc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
##########################################
|
|
||||||
## <summary>
|
|
||||||
## Manage generic directories in /etc
|
|
||||||
## </summary>
|
|
||||||
## <param name="domain">
|
|
||||||
## <summary>
|
|
||||||
## Domain allowed access
|
|
||||||
## </summary>
|
|
||||||
## </param>
|
|
||||||
##
|
|
||||||
#
|
|
||||||
interface(`files_manage_etc_dirs',`
|
|
||||||
gen_require(`
|
|
||||||
type etc_t;
|
|
||||||
')
|
|
||||||
|
|
||||||
manage_dirs_pattern($1, etc_t, etc_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Delete system configuration files in /etc.
|
## Delete system configuration files in /etc.
|
||||||
|
|
|
@ -1,13 +1,11 @@
|
||||||
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
|
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||||
|
|
||||||
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
|
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||||
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
|
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||||
|
|
||||||
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
|
|
||||||
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
|
|
||||||
|
|
||||||
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
|
|
||||||
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
|
|
||||||
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
|
|
||||||
|
|
||||||
|
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||||
|
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
||||||
|
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||||
|
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
|
||||||
|
|
|
@ -1,27 +1,26 @@
|
||||||
## <summary>Puppet client daemon</summary>
|
## <summary>Puppet client daemon</summary>
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Puppet is a configuration management system written in Ruby.
|
## Puppet is a configuration management system written in Ruby.
|
||||||
## The client daemon is responsible for periodically requesting the
|
## The client daemon is responsible for periodically requesting the
|
||||||
## desired system state from the server and ensuring the state of
|
## desired system state from the server and ensuring the state of
|
||||||
## the client system matches.
|
## the client system matches.
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
|
|
||||||
################################################
|
################################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read / Write to Puppet temp files. Puppet uses
|
## Read / Write to Puppet temp files. Puppet uses
|
||||||
## some system binaries (groupadd, etc) that run in
|
## some system binaries (groupadd, etc) that run in
|
||||||
## a non-puppet domain and redirects output into temp
|
## a non-puppet domain and redirects output into temp
|
||||||
## files.
|
## files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
## Domain allowed access
|
## Domain allowed access
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
##
|
#
|
||||||
#
|
|
||||||
interface(`puppet_rw_tmp', `
|
interface(`puppet_rw_tmp', `
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type puppet_tmp_t;
|
type puppet_tmp_t;
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(puppet, 0.0.1)
|
policy_module(puppet, 1.0.0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -14,45 +14,34 @@ policy_module(puppet, 0.0.1)
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(puppet_manage_all_files, false)
|
gen_tunable(puppet_manage_all_files, false)
|
||||||
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Puppet personal declarations
|
|
||||||
#
|
|
||||||
|
|
||||||
type puppet_t;
|
type puppet_t;
|
||||||
type puppet_exec_t;
|
type puppet_exec_t;
|
||||||
init_daemon_domain(puppet_t, puppet_exec_t)
|
init_daemon_domain(puppet_t, puppet_exec_t)
|
||||||
|
|
||||||
|
type puppet_etc_t;
|
||||||
|
files_config_file(puppet_etc_t)
|
||||||
|
|
||||||
type puppet_initrc_exec_t;
|
type puppet_initrc_exec_t;
|
||||||
init_script_file(puppet_initrc_exec_t);
|
init_script_file(puppet_initrc_exec_t)
|
||||||
|
|
||||||
type puppet_log_t;
|
type puppet_log_t;
|
||||||
logging_log_file(puppet_log_t)
|
logging_log_file(puppet_log_t)
|
||||||
|
|
||||||
|
type puppet_tmp_t;
|
||||||
|
files_tmp_file(puppet_tmp_t)
|
||||||
|
|
||||||
type puppet_var_lib_t;
|
type puppet_var_lib_t;
|
||||||
files_type(puppet_var_lib_t)
|
files_type(puppet_var_lib_t)
|
||||||
|
|
||||||
type puppet_var_run_t;
|
type puppet_var_run_t;
|
||||||
files_pid_file(puppet_var_run_t)
|
files_pid_file(puppet_var_run_t)
|
||||||
|
|
||||||
type puppet_etc_t;
|
|
||||||
files_config_file(puppet_etc_t)
|
|
||||||
|
|
||||||
type puppet_tmp_t;
|
|
||||||
files_tmp_file(puppet_tmp_t)
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Pupper master personal declarations
|
|
||||||
#
|
|
||||||
|
|
||||||
type puppetmaster_t;
|
type puppetmaster_t;
|
||||||
type puppetmaster_exec_t;
|
type puppetmaster_exec_t;
|
||||||
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
|
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
|
||||||
|
|
||||||
type puppetmasterd_initrc_exec_t;
|
type puppetmaster_initrc_exec_t;
|
||||||
init_script_file(puppetmasterd_initrc_exec_t)
|
init_script_file(puppetmaster_initrc_exec_t)
|
||||||
|
|
||||||
type puppetmaster_tmp_t;
|
type puppetmaster_tmp_t;
|
||||||
files_tmp_file(puppetmaster_tmp_t)
|
files_tmp_file(puppetmaster_tmp_t)
|
||||||
|
@ -63,17 +52,17 @@ files_tmp_file(puppetmaster_tmp_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
||||||
|
allow puppet_t self:process { signal signull getsched setsched };
|
||||||
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
allow puppet_t self:process { signal signull getsched setsched };
|
|
||||||
allow puppet_t self:tcp_socket create_stream_socket_perms;
|
allow puppet_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow puppet_t self:udp_socket create_socket_perms;
|
allow puppet_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
|
||||||
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
||||||
|
|
||||||
manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
|
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
files_search_var_lib(puppet_t)
|
||||||
|
|
||||||
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
|
@ -88,20 +77,22 @@ manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||||
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||||
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
||||||
|
|
||||||
corenet_sendrecv_puppet_client_packets(puppet_t)
|
kernel_dontaudit_search_sysctl(puppet_t)
|
||||||
corenet_tcp_connect_puppet_port(puppet_t)
|
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
||||||
|
kernel_read_system_state(puppet_t)
|
||||||
corenet_all_recvfrom_netlabel(puppet_t)
|
kernel_read_crypto_sysctls(puppet_t)
|
||||||
corenet_all_recvfrom_unlabeled(puppet_t)
|
|
||||||
|
|
||||||
corenet_tcp_sendrecv_generic_if(puppet_t)
|
|
||||||
corenet_tcp_sendrecv_generic_node(puppet_t)
|
|
||||||
|
|
||||||
corenet_tcp_bind_generic_node(puppet_t)
|
|
||||||
|
|
||||||
corecmd_exec_bin(puppet_t)
|
corecmd_exec_bin(puppet_t)
|
||||||
corecmd_exec_shell(puppet_t)
|
corecmd_exec_shell(puppet_t)
|
||||||
|
|
||||||
|
corenet_all_recvfrom_netlabel(puppet_t)
|
||||||
|
corenet_all_recvfrom_unlabeled(puppet_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(puppet_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(puppet_t)
|
||||||
|
corenet_tcp_bind_generic_node(puppet_t)
|
||||||
|
corenet_tcp_connect_puppet_port(puppet_t)
|
||||||
|
corenet_sendrecv_puppet_client_packets(puppet_t)
|
||||||
|
|
||||||
dev_read_rand(puppet_t)
|
dev_read_rand(puppet_t)
|
||||||
dev_read_sysfs(puppet_t)
|
dev_read_sysfs(puppet_t)
|
||||||
dev_read_urand(puppet_t)
|
dev_read_urand(puppet_t)
|
||||||
|
@ -116,38 +107,31 @@ files_manage_etc_files(puppet_t)
|
||||||
files_read_usr_symlinks(puppet_t)
|
files_read_usr_symlinks(puppet_t)
|
||||||
files_relabel_config_dirs(puppet_t)
|
files_relabel_config_dirs(puppet_t)
|
||||||
files_relabel_config_files(puppet_t)
|
files_relabel_config_files(puppet_t)
|
||||||
files_search_default(puppet_t)
|
|
||||||
files_search_var_lib(puppet_t)
|
|
||||||
|
|
||||||
init_all_labeled_script_domtrans(puppet_t)
|
|
||||||
init_domtrans_script(puppet_t)
|
|
||||||
init_read_utmp(puppet_t)
|
|
||||||
init_signull_script(puppet_t)
|
|
||||||
|
|
||||||
kernel_dontaudit_search_sysctl(puppet_t)
|
|
||||||
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
|
||||||
kernel_read_system_state(puppet_t)
|
|
||||||
kernel_read_crypto_sysctls(puppet_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg(puppet_t)
|
|
||||||
|
|
||||||
miscfiles_read_hwdata(puppet_t)
|
|
||||||
miscfiles_read_localization(puppet_t)
|
|
||||||
|
|
||||||
selinux_search_fs(puppet_t)
|
selinux_search_fs(puppet_t)
|
||||||
selinux_set_all_booleans(puppet_t)
|
selinux_set_all_booleans(puppet_t)
|
||||||
selinux_set_generic_booleans(puppet_t)
|
selinux_set_generic_booleans(puppet_t)
|
||||||
selinux_validate_context(puppet_t)
|
selinux_validate_context(puppet_t)
|
||||||
|
|
||||||
|
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
||||||
|
term_dontaudit_getattr_all_user_ttys(puppet_t)
|
||||||
|
|
||||||
|
init_all_labeled_script_domtrans(puppet_t)
|
||||||
|
init_domtrans_script(puppet_t)
|
||||||
|
init_read_utmp(puppet_t)
|
||||||
|
init_signull_script(puppet_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(puppet_t)
|
||||||
|
|
||||||
|
miscfiles_read_hwdata(puppet_t)
|
||||||
|
miscfiles_read_localization(puppet_t)
|
||||||
|
|
||||||
seutil_domtrans_setfiles(puppet_t)
|
seutil_domtrans_setfiles(puppet_t)
|
||||||
seutil_domtrans_semanage(puppet_t)
|
seutil_domtrans_semanage(puppet_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve(puppet_t)
|
sysnet_dns_name_resolve(puppet_t)
|
||||||
sysnet_run_ifconfig(puppet_t, system_r)
|
sysnet_run_ifconfig(puppet_t, system_r)
|
||||||
|
|
||||||
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
|
||||||
term_dontaudit_getattr_all_user_ttys(puppet_t)
|
|
||||||
|
|
||||||
tunable_policy(`puppet_manage_all_files',`
|
tunable_policy(`puppet_manage_all_files',`
|
||||||
auth_manage_all_files_except_shadow(puppet_t)
|
auth_manage_all_files_except_shadow(puppet_t)
|
||||||
')
|
')
|
||||||
|
@ -162,7 +146,6 @@ optional_policy(`
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
files_rw_var_files(puppet_t)
|
files_rw_var_files(puppet_t)
|
||||||
files_var_lib_filetrans(puppet_t, var_lib_t, dir)
|
|
||||||
|
|
||||||
rpm_domtrans(puppet_t)
|
rpm_domtrans(puppet_t)
|
||||||
rpm_manage_db(puppet_t)
|
rpm_manage_db(puppet_t)
|
||||||
|
@ -178,16 +161,15 @@ optional_policy(`
|
||||||
usermanage_domtrans_useradd(puppet_t)
|
usermanage_domtrans_useradd(puppet_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Pupper master personal policy
|
# Pupper master personal policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
||||||
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
|
|
||||||
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
|
||||||
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
||||||
|
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
||||||
allow puppetmaster_t self:socket create;
|
allow puppetmaster_t self:socket create;
|
||||||
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow puppetmaster_t self:udp_socket create_socket_perms;
|
allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||||
|
@ -195,50 +177,43 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||||
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||||
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||||
|
|
||||||
manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
|
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
|
||||||
|
allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
|
||||||
|
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||||
|
|
||||||
|
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||||
|
|
||||||
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||||
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
||||||
|
|
||||||
rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
||||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
|
||||||
|
|
||||||
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||||
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||||
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||||
|
|
||||||
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||||
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
kernel_read_system_state(puppetmaster_t)
|
||||||
|
kernel_read_crypto_sysctls(puppetmaster_t)
|
||||||
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
|
||||||
corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
|
||||||
|
|
||||||
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
|
||||||
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
|
||||||
|
|
||||||
corenet_tcp_bind_generic_node(puppetmaster_t)
|
|
||||||
|
|
||||||
corecmd_exec_bin(puppetmaster_t)
|
corecmd_exec_bin(puppetmaster_t)
|
||||||
corecmd_exec_shell(puppetmaster_t)
|
corecmd_exec_shell(puppetmaster_t)
|
||||||
|
|
||||||
files_read_etc_files(puppetmaster_t)
|
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
||||||
files_search_var_lib(puppetmaster_t)
|
corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
||||||
|
corenet_tcp_bind_generic_node(puppetmaster_t)
|
||||||
|
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
||||||
|
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
||||||
|
|
||||||
dev_read_rand(puppetmaster_t)
|
dev_read_rand(puppetmaster_t)
|
||||||
dev_read_urand(puppetmaster_t)
|
dev_read_urand(puppetmaster_t)
|
||||||
|
|
||||||
domain_read_all_domains_state(puppetmaster_t)
|
domain_read_all_domains_state(puppetmaster_t)
|
||||||
|
|
||||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
files_read_etc_files(puppetmaster_t)
|
||||||
kernel_read_system_state(puppetmaster_t)
|
files_search_var_lib(puppetmaster_t)
|
||||||
kernel_read_crypto_sysctls(puppetmaster_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg(puppetmaster_t)
|
logging_send_syslog_msg(puppetmaster_t)
|
||||||
|
|
||||||
|
@ -257,4 +232,3 @@ optional_policy(`
|
||||||
rpm_exec(puppetmaster_t)
|
rpm_exec(puppetmaster_t)
|
||||||
rpm_read_db(puppetmaster_t)
|
rpm_read_db(puppetmaster_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -730,7 +730,7 @@ interface(`init_labeled_script_domtrans',`
|
||||||
## Domain allowed access
|
## Domain allowed access
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#########################################
|
#
|
||||||
interface(`init_all_labeled_script_domtrans',`
|
interface(`init_all_labeled_script_domtrans',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute init_script_file_type;
|
attribute init_script_file_type;
|
||||||
|
|
|
@ -117,13 +117,13 @@ optional_policy(`
|
||||||
apt_use_ptys(ldconfig_t)
|
apt_use_ptys(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
puppet_rw_tmp(ldconfig_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# When you install a kernel the postinstall builds a initrd image in tmp
|
# When you install a kernel the postinstall builds a initrd image in tmp
|
||||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||||
# blow up.
|
# blow up.
|
||||||
rpm_manage_script_tmp_files(ldconfig_t)
|
rpm_manage_script_tmp_files(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
|
||||||
puppet_rw_tmp(ldconfig_t)
|
|
||||||
')
|
|
||||||
|
|
Loading…
Reference in New Issue