18f2a72d7f
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
245 lines
7.0 KiB
Plaintext
245 lines
7.0 KiB
Plaintext
policy_module(puppet, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow Puppet client to manage all file
|
|
## types.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(puppet_manage_all_files, false)
|
|
|
|
type puppet_t;
|
|
type puppet_exec_t;
|
|
init_daemon_domain(puppet_t, puppet_exec_t)
|
|
|
|
type puppet_etc_t;
|
|
files_config_file(puppet_etc_t)
|
|
|
|
type puppet_initrc_exec_t;
|
|
init_script_file(puppet_initrc_exec_t)
|
|
|
|
type puppet_log_t;
|
|
logging_log_file(puppet_log_t)
|
|
|
|
type puppet_tmp_t;
|
|
files_tmp_file(puppet_tmp_t)
|
|
|
|
type puppet_var_lib_t;
|
|
files_type(puppet_var_lib_t)
|
|
|
|
type puppet_var_run_t;
|
|
files_pid_file(puppet_var_run_t)
|
|
|
|
type puppetmaster_t;
|
|
type puppetmaster_exec_t;
|
|
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
|
|
|
|
type puppetmaster_initrc_exec_t;
|
|
init_script_file(puppetmaster_initrc_exec_t)
|
|
|
|
type puppetmaster_tmp_t;
|
|
files_tmp_file(puppetmaster_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Puppet personal policy
|
|
#
|
|
|
|
allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
|
allow puppet_t self:process { signal signull getsched setsched };
|
|
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
|
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow puppet_t self:tcp_socket create_stream_socket_perms;
|
|
allow puppet_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
|
|
|
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
files_search_var_lib(puppet_t)
|
|
|
|
manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
|
|
|
|
create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
|
|
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
|
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
|
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
|
|
|
kernel_dontaudit_search_sysctl(puppet_t)
|
|
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
|
kernel_read_system_state(puppet_t)
|
|
kernel_read_crypto_sysctls(puppet_t)
|
|
|
|
corecmd_exec_bin(puppet_t)
|
|
corecmd_exec_shell(puppet_t)
|
|
|
|
corenet_all_recvfrom_netlabel(puppet_t)
|
|
corenet_all_recvfrom_unlabeled(puppet_t)
|
|
corenet_tcp_sendrecv_generic_if(puppet_t)
|
|
corenet_tcp_sendrecv_generic_node(puppet_t)
|
|
corenet_tcp_bind_generic_node(puppet_t)
|
|
corenet_tcp_connect_puppet_port(puppet_t)
|
|
corenet_sendrecv_puppet_client_packets(puppet_t)
|
|
|
|
dev_read_rand(puppet_t)
|
|
dev_read_sysfs(puppet_t)
|
|
dev_read_urand(puppet_t)
|
|
|
|
domain_read_all_domains_state(puppet_t)
|
|
domain_interactive_fd(puppet_t)
|
|
|
|
files_manage_config_files(puppet_t)
|
|
files_manage_config_dirs(puppet_t)
|
|
files_manage_etc_dirs(puppet_t)
|
|
files_manage_etc_files(puppet_t)
|
|
files_read_usr_symlinks(puppet_t)
|
|
files_relabel_config_dirs(puppet_t)
|
|
files_relabel_config_files(puppet_t)
|
|
|
|
selinux_search_fs(puppet_t)
|
|
selinux_set_all_booleans(puppet_t)
|
|
selinux_set_generic_booleans(puppet_t)
|
|
selinux_validate_context(puppet_t)
|
|
|
|
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
|
term_dontaudit_getattr_all_ttys(puppet_t)
|
|
|
|
init_all_labeled_script_domtrans(puppet_t)
|
|
init_domtrans_script(puppet_t)
|
|
init_read_utmp(puppet_t)
|
|
init_signull_script(puppet_t)
|
|
|
|
logging_send_syslog_msg(puppet_t)
|
|
|
|
miscfiles_read_hwdata(puppet_t)
|
|
miscfiles_read_localization(puppet_t)
|
|
|
|
seutil_domtrans_setfiles(puppet_t)
|
|
seutil_domtrans_semanage(puppet_t)
|
|
|
|
sysnet_dns_name_resolve(puppet_t)
|
|
sysnet_run_ifconfig(puppet_t, system_r)
|
|
|
|
tunable_policy(`puppet_manage_all_files',`
|
|
auth_manage_all_files_except_shadow(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_domtrans(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
files_rw_var_files(puppet_t)
|
|
|
|
rpm_domtrans(puppet_t)
|
|
rpm_manage_db(puppet_t)
|
|
rpm_manage_log(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
usermanage_domtrans_groupadd(puppet_t)
|
|
usermanage_domtrans_useradd(puppet_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Pupper master personal policy
|
|
#
|
|
|
|
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
|
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
|
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
|
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow puppetmaster_t self:socket create;
|
|
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
|
allow puppetmaster_t self:udp_socket create_socket_perms;
|
|
|
|
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
|
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
|
|
|
allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
|
|
allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
|
|
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
|
allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
|
|
|
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
|
|
|
|
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
|
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
|
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
|
allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
|
|
|
|
manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
|
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
|
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
|
allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
|
|
|
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
|
kernel_read_system_state(puppetmaster_t)
|
|
kernel_read_crypto_sysctls(puppetmaster_t)
|
|
kernel_read_kernel_sysctls(puppetmaster_t)
|
|
|
|
corecmd_exec_bin(puppetmaster_t)
|
|
corecmd_exec_shell(puppetmaster_t)
|
|
|
|
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
|
corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
|
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
|
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
|
corenet_tcp_bind_generic_node(puppetmaster_t)
|
|
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
|
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
|
|
|
dev_read_rand(puppetmaster_t)
|
|
dev_read_urand(puppetmaster_t)
|
|
|
|
domain_read_all_domains_state(puppetmaster_t)
|
|
|
|
files_read_etc_files(puppetmaster_t)
|
|
files_search_var_lib(puppetmaster_t)
|
|
|
|
selinux_validate_context(puppetmaster_t)
|
|
|
|
logging_send_syslog_msg(puppetmaster_t)
|
|
|
|
miscfiles_read_localization(puppetmaster_t)
|
|
|
|
seutil_read_file_contexts(puppetmaster_t)
|
|
|
|
sysnet_dns_name_resolve(puppetmaster_t)
|
|
sysnet_run_ifconfig(puppetmaster_t, system_r)
|
|
|
|
mta_send_mail(puppetmaster_t)
|
|
|
|
optional_policy(`
|
|
hostname_exec(puppetmaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
files_read_usr_symlinks(puppetmaster_t)
|
|
|
|
rpm_exec(puppetmaster_t)
|
|
rpm_read_db(puppetmaster_t)
|
|
')
|