adding puppet configuration management system
Signed-off-by: Craig Grube <Craig.Grube@cobham.com> Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
This commit is contained in:
parent
f272825b2d
commit
e8779130bf
@ -247,6 +247,10 @@ optional_policy(`
|
||||
rpm_rw_pipes(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
puppet_rw_tmp(groupadd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Passwd local policy
|
||||
@ -524,3 +528,7 @@ optional_policy(`
|
||||
rpm_use_fds(useradd_t)
|
||||
rpm_rw_pipes(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
puppet_rw_tmp(useradd_t)
|
||||
')
|
||||
|
@ -156,6 +156,7 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
network_port(pulseaudio, tcp,4713,s0)
|
||||
network_port(puppet, tcp, 8140, s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
network_port(pyzor, udp,24441,s0)
|
||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
|
@ -110,7 +110,11 @@ interface(`files_pid_file',`
|
||||
## </param>
|
||||
#
|
||||
interface(`files_config_file',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
files_type($1)
|
||||
typeattribute $1 configfile;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -997,6 +1001,83 @@ interface(`files_manage_all_files',`
|
||||
files_manage_kernel_modules($1)
|
||||
')
|
||||
|
||||
###########################################
|
||||
## <summary>
|
||||
## Manage all configuration files on filesystem
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of domain performing this action
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_manage_config_files',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
manage_files_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
#############################################
|
||||
## <summary>
|
||||
## Manage all configuration directories on filesystem
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of domain performing this action
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_manage_config_dirs',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Relabel configuration files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type of domain performing this action
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_relabel_config_files',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
relabel_files_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Relabel configuration directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type of domain performing this action
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_relabel_config_dirs',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
relabel_dirs_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of all directories on
|
||||
@ -1993,6 +2074,25 @@ interface(`files_manage_etc_files',`
|
||||
read_lnk_files_pattern($1, etc_t, etc_t)
|
||||
')
|
||||
|
||||
##########################################
|
||||
## <summary>
|
||||
## Manage generic directories in /etc
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_manage_etc_dirs',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, etc_t, etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Delete system configuration files in /etc.
|
||||
@ -4222,6 +4322,24 @@ interface(`files_list_var_lib',`
|
||||
list_dirs_pattern($1, var_t, var_lib_t)
|
||||
')
|
||||
|
||||
###########################################
|
||||
## <summary>
|
||||
## Read-write /var/lib directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_rw_var_lib_dirs',`
|
||||
gen_require(`
|
||||
type var_lib_t;
|
||||
')
|
||||
|
||||
rw_dirs_pattern($1, var_lib_t, var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in the /var/lib directory
|
||||
|
@ -11,6 +11,7 @@ attribute files_unconfined_type;
|
||||
attribute lockfile;
|
||||
attribute mountpoint;
|
||||
attribute pidfile;
|
||||
attribute configfile;
|
||||
|
||||
# For labeling types that are to be polyinstantiated
|
||||
attribute polydir;
|
||||
|
13
policy/modules/services/puppet.fc
Normal file
13
policy/modules/services/puppet.fc
Normal file
@ -0,0 +1,13 @@
|
||||
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t, s0)
|
||||
|
||||
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t, s0)
|
||||
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmasterd_initrc_exec_t, s0)
|
||||
|
||||
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t, s0)
|
||||
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t, s0)
|
||||
|
||||
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t, s0)
|
||||
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t, s0)
|
||||
/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t, s0)
|
||||
|
||||
|
32
policy/modules/services/puppet.if
Normal file
32
policy/modules/services/puppet.if
Normal file
@ -0,0 +1,32 @@
|
||||
## <summary>Puppet client daemon</summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Puppet is a configuration management system written in Ruby.
|
||||
## The client daemon is responsible for periodically requesting the
|
||||
## desired system state from the server and ensuring the state of
|
||||
## the client system matches.
|
||||
## </p>
|
||||
## </desc>
|
||||
|
||||
################################################
|
||||
## <summary>
|
||||
## Read / Write to Puppet temp files. Puppet uses
|
||||
## some system binaries (groupadd, etc) that run in
|
||||
## a non-puppet domain and redirects output into temp
|
||||
## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`puppet_rw_tmp', `
|
||||
gen_require(`
|
||||
type puppet_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 puppet_tmp_t:file rw_file_perms;
|
||||
files_search_tmp($1)
|
||||
')
|
260
policy/modules/services/puppet.te
Normal file
260
policy/modules/services/puppet.te
Normal file
@ -0,0 +1,260 @@
|
||||
|
||||
policy_module(puppet, 0.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Puppet client to manage all file
|
||||
## types.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(puppet_manage_all_files, false)
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Puppet personal declarations
|
||||
#
|
||||
|
||||
type puppet_t;
|
||||
type puppet_exec_t;
|
||||
init_daemon_domain(puppet_t, puppet_exec_t)
|
||||
|
||||
type puppet_initrc_exec_t;
|
||||
init_script_file(puppet_initrc_exec_t);
|
||||
|
||||
type puppet_log_t;
|
||||
logging_log_file(puppet_log_t)
|
||||
|
||||
type puppet_var_lib_t;
|
||||
files_type(puppet_var_lib_t)
|
||||
|
||||
type puppet_var_run_t;
|
||||
files_pid_file(puppet_var_run_t)
|
||||
|
||||
type puppet_etc_t;
|
||||
files_config_file(puppet_etc_t)
|
||||
|
||||
type puppet_tmp_t;
|
||||
files_tmp_file(puppet_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Pupper master personal declarations
|
||||
#
|
||||
|
||||
type puppetmaster_t;
|
||||
type puppetmaster_exec_t;
|
||||
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
|
||||
|
||||
type puppetmasterd_initrc_exec_t;
|
||||
init_script_file(puppetmasterd_initrc_exec_t)
|
||||
|
||||
type puppetmaster_tmp_t;
|
||||
files_tmp_file(puppetmaster_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Puppet personal policy
|
||||
#
|
||||
|
||||
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
||||
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
||||
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow puppet_t self:process { signal signull getsched setsched };
|
||||
allow puppet_t self:tcp_socket create_stream_socket_perms;
|
||||
allow puppet_t self:udp_socket create_socket_perms;
|
||||
|
||||
search_dirs_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
||||
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
||||
|
||||
manage_dirs_pattern(puppet_t ,puppet_var_lib_t, puppet_var_lib_t)
|
||||
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
|
||||
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
||||
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
|
||||
|
||||
create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
|
||||
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
||||
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
||||
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
||||
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
||||
|
||||
corenet_sendrecv_puppet_client_packets(puppet_t)
|
||||
corenet_tcp_connect_puppet_port(puppet_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(puppet_t)
|
||||
corenet_all_recvfrom_unlabeled(puppet_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(puppet_t)
|
||||
corenet_tcp_sendrecv_generic_node(puppet_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(puppet_t)
|
||||
|
||||
corecmd_exec_bin(puppet_t)
|
||||
corecmd_exec_shell(puppet_t)
|
||||
|
||||
dev_read_rand(puppet_t)
|
||||
dev_read_sysfs(puppet_t)
|
||||
dev_read_urand(puppet_t)
|
||||
|
||||
domain_read_all_domains_state(puppet_t)
|
||||
domain_interactive_fd(puppet_t)
|
||||
|
||||
files_manage_config_files(puppet_t)
|
||||
files_manage_config_dirs(puppet_t)
|
||||
files_manage_etc_dirs(puppet_t)
|
||||
files_manage_etc_files(puppet_t)
|
||||
files_read_usr_symlinks(puppet_t)
|
||||
files_relabel_config_dirs(puppet_t)
|
||||
files_relabel_config_files(puppet_t)
|
||||
files_search_default(puppet_t)
|
||||
files_search_var_lib(puppet_t)
|
||||
|
||||
init_all_labeled_script_domtrans(puppet_t)
|
||||
init_domtrans_script(puppet_t)
|
||||
init_read_utmp(puppet_t)
|
||||
init_signull_script(puppet_t)
|
||||
|
||||
kernel_dontaudit_search_sysctl(puppet_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
||||
kernel_read_system_state(puppet_t)
|
||||
kernel_read_crypto_sysctls(puppet_t)
|
||||
|
||||
logging_send_syslog_msg(puppet_t)
|
||||
|
||||
miscfiles_read_hwdata(puppet_t)
|
||||
miscfiles_read_localization(puppet_t)
|
||||
|
||||
selinux_search_fs(puppet_t)
|
||||
selinux_set_all_booleans(puppet_t)
|
||||
selinux_set_generic_booleans(puppet_t)
|
||||
selinux_validate_context(puppet_t)
|
||||
|
||||
seutil_domtrans_setfiles(puppet_t)
|
||||
seutil_domtrans_semanage(puppet_t)
|
||||
|
||||
sysnet_dns_name_resolve(puppet_t)
|
||||
sysnet_run_ifconfig(puppet_t, system_r)
|
||||
|
||||
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
||||
term_dontaudit_getattr_all_user_ttys(puppet_t)
|
||||
|
||||
tunable_policy(`puppet_manage_all_files',`
|
||||
auth_manage_all_files_except_shadow(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
files_rw_var_files(puppet_t)
|
||||
files_var_lib_filetrans(puppet_t, var_lib_t, dir)
|
||||
|
||||
rpm_domtrans(puppet_t)
|
||||
rpm_manage_db(puppet_t)
|
||||
rpm_manage_log(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(puppet_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_domtrans_groupadd(puppet_t)
|
||||
usermanage_domtrans_useradd(puppet_t)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Pupper master personal policy
|
||||
#
|
||||
|
||||
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
||||
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;;
|
||||
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
||||
allow puppetmaster_t self:socket create;
|
||||
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
||||
allow puppetmaster_t self:udp_socket create_socket_perms;
|
||||
|
||||
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t ,puppet_var_lib_t, puppet_var_lib_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
||||
|
||||
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
||||
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
||||
|
||||
rw_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
setattr_dirs_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
||||
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
||||
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
||||
|
||||
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
||||
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
||||
corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
||||
|
||||
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
||||
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(puppetmaster_t)
|
||||
|
||||
corecmd_exec_bin(puppetmaster_t)
|
||||
corecmd_exec_shell(puppetmaster_t)
|
||||
|
||||
files_read_etc_files(puppetmaster_t)
|
||||
files_search_var_lib(puppetmaster_t)
|
||||
|
||||
dev_read_rand(puppetmaster_t)
|
||||
dev_read_urand(puppetmaster_t)
|
||||
|
||||
domain_read_all_domains_state(puppetmaster_t)
|
||||
|
||||
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
||||
kernel_read_system_state(puppetmaster_t)
|
||||
kernel_read_crypto_sysctls(puppetmaster_t)
|
||||
|
||||
logging_send_syslog_msg(puppetmaster_t)
|
||||
|
||||
miscfiles_read_localization(puppetmaster_t)
|
||||
|
||||
sysnet_dns_name_resolve(puppetmaster_t)
|
||||
sysnet_run_ifconfig(puppetmaster_t, system_r)
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(puppetmaster_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
files_read_usr_symlinks(puppetmaster_t)
|
||||
|
||||
rpm_exec(puppetmaster_t)
|
||||
rpm_read_db(puppetmaster_t)
|
||||
')
|
||||
|
@ -720,6 +720,25 @@ interface(`init_labeled_script_domtrans',`
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Transition to the init script domain
|
||||
## for all labeled init script types
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access
|
||||
## </summary>
|
||||
## </param>
|
||||
#########################################
|
||||
interface(`init_all_labeled_script_domtrans',`
|
||||
gen_require(`
|
||||
attribute init_script_file_type;
|
||||
')
|
||||
|
||||
init_labeled_script_domtrans($1, init_script_file_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Start and stop daemon programs directly.
|
||||
|
@ -687,6 +687,10 @@ optional_policy(`
|
||||
postfix_list_spool(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
puppet_rw_tmp(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
@ -123,3 +123,7 @@ optional_policy(`
|
||||
# blow up.
|
||||
rpm_manage_script_tmp_files(ldconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
puppet_rw_tmp(ldconfig_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user