From 3a6855a6de5de6a3b4cd876962e8e70d576f1992 Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" Date: Mon, 25 Jul 2011 23:14:24 +0000 Subject: Extend puppet rights and clean ups (Portage version: 2.1.10.3/cvs/Linux x86_64) --- sec-policy/selinux-puppet/ChangeLog | 15 +++- .../files/fix-services-puppet-r1.patch | 89 ++++++++++++++++++++ .../files/fix-services-puppet-r2.patch | 97 ++++++++++++++++++++++ .../files/fix-services-puppet-r3.patch | 97 ++++++++++++++++++++++ .../selinux-puppet-2.20101213-r1.ebuild | 18 ++++ .../selinux-puppet-2.20101213-r2.ebuild | 18 ++++ .../selinux-puppet-2.20101213-r3.ebuild | 18 ++++ 7 files changed, 351 insertions(+), 1 deletion(-) create mode 100644 sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch create mode 100644 sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch create mode 100644 sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch create mode 100644 sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild create mode 100644 sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild create mode 100644 sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild (limited to 'sec-policy') diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-puppet/ChangeLog index 120b7a023f6b..f20f80fae00b 100644 --- a/sec-policy/selinux-puppet/ChangeLog +++ b/sec-policy/selinux-puppet/ChangeLog @@ -1,6 +1,19 @@ # ChangeLog for sec-policy/selinux-puppet # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.2 2011/06/02 12:49:09 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.3 2011/07/25 23:14:24 blueness Exp $ + +*selinux-puppet-2.20101213-r3 (25 Jul 2011) +*selinux-puppet-2.20101213-r2 (25 Jul 2011) +*selinux-puppet-2.20101213-r1 (25 Jul 2011) + + 25 Jul 2011; Anthony G. Basile + +files/fix-services-puppet-r1.patch, +files/fix-services-puppet-r2.patch, + +files/fix-services-puppet-r3.patch, +selinux-puppet-2.20101213-r1.ebuild, + +selinux-puppet-2.20101213-r2.ebuild, +selinux-puppet-2.20101213-r3.ebuild: + r3: Allow puppet to call portage domains and ensure that this is supported + through the system_r role + r2: Revert ugly initrc hack introduced in r1 + r1: Extend puppet rights 02 Jun 2011; Anthony G. Basile selinux-puppet-2.20101213.ebuild: diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch new file mode 100644 index 000000000000..63056dbe8ded --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch @@ -0,0 +1,89 @@ +--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.te 2011-07-11 22:40:28.700001278 +0200 +@@ -17,6 +17,9 @@ + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) + ++type puppet_initrc_notrans_t; ++role system_r types puppet_initrc_notrans_t; ++ + type puppet_etc_t; + files_config_file(puppet_etc_t) + +@@ -77,7 +80,9 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++#kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + +@@ -115,6 +120,9 @@ + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++ ++## system modules ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -125,12 +133,26 @@ + miscfiles_read_hwdata(puppet_t) + miscfiles_read_localization(puppet_t) + ++mount_domtrans(puppet_t) ++ + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) + + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) + ++## Other modules ++ ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ kernel_dontaudit_read_system_state(puppet_initrc_notrans_t) ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') ++ ++ + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) + ') +@@ -144,6 +166,16 @@ + ') + + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_initrc_notrans(puppet_initrc_notrans_t, puppet_t) ++ portage_domtrans(puppet_t) ++ puppet_rw_tmp(puppet_initrc_notrans_t) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-11 14:06:20.907000356 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch new file mode 100644 index 000000000000..fb82d35d39b8 --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch @@ -0,0 +1,97 @@ +--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.te 2011-07-21 11:15:55.552000371 +0200 +@@ -17,6 +17,9 @@ + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) + ++#type puppet_initrc_notrans_t; ++#role system_r types puppet_initrc_notrans_t; ++ + type puppet_etc_t; + files_config_file(puppet_etc_t) + +@@ -50,7 +53,7 @@ + # Puppet personal policy + # + +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +@@ -77,7 +80,9 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++#kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + +@@ -115,6 +120,9 @@ + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++ ++## system modules ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -125,12 +133,26 @@ + miscfiles_read_hwdata(puppet_t) + miscfiles_read_localization(puppet_t) + ++mount_domtrans(puppet_t) ++ + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) + + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) + ++## Other modules ++ ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ #kernel_dontaudit_read_system_state(puppet_initrc_notrans_t) ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') ++ ++ + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) + ') +@@ -144,6 +166,15 @@ + ') + + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_rc_exec(puppet_t) ++ portage_domtrans(puppet_t) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-21 10:08:43.240000256 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch new file mode 100644 index 000000000000..492cc2755910 --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch @@ -0,0 +1,97 @@ +--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.te 2011-07-24 10:34:00.622000087 +0200 +@@ -17,6 +17,9 @@ + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) + ++#type puppet_initrc_notrans_t; ++#role system_r types puppet_initrc_notrans_t; ++ + type puppet_etc_t; + files_config_file(puppet_etc_t) + +@@ -50,7 +53,7 @@ + # Puppet personal policy + # + +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +@@ -77,7 +80,9 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++#kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + +@@ -115,6 +120,9 @@ + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) + ++ ++## system modules ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -125,12 +133,26 @@ + miscfiles_read_hwdata(puppet_t) + miscfiles_read_localization(puppet_t) + ++mount_domtrans(puppet_t) ++ + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) + + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) + ++## Other modules ++ ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ #kernel_dontaudit_read_system_state(puppet_initrc_notrans_t) ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') ++ ++ + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) + ') +@@ -144,6 +166,15 @@ + ') + + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_rc_exec(puppet_t) ++ portage_run(puppet_t, system_r) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-21 10:08:43.240000256 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild new file mode 100644 index 000000000000..32d8fa6c9674 --- /dev/null +++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $ + +IUSE="" + +MODS="puppet" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for general applications" + +DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r19" +RDEPEND="${DEPEND}" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-services-puppet-r1.patch" diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild new file mode 100644 index 000000000000..f96a26b930d6 --- /dev/null +++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $ + +IUSE="" + +MODS="puppet" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for general applications" + +DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20" +RDEPEND="${DEPEND}" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-services-puppet-r2.patch" diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild new file mode 100644 index 000000000000..670d5d0e3bd9 --- /dev/null +++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $ + +IUSE="" + +MODS="puppet" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for general applications" + +DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20" +RDEPEND="${DEPEND}" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-services-puppet-r3.patch" -- cgit v1.2.3-65-gdbad