diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-08-14 10:00:53 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2011-08-14 10:00:53 +0200 |
commit | afe2981af00a815e3978d0b732d1cbdcc6251718 (patch) | |
tree | 56cf7495699c835f42fa1db8629f83b9ccb21668 | |
parent | The tcpd definition depends on interfaces offered by inetd (diff) | |
download | hardened-dev-afe2981af00a815e3978d0b732d1cbdcc6251718.tar.gz hardened-dev-afe2981af00a815e3978d0b732d1cbdcc6251718.tar.bz2 hardened-dev-afe2981af00a815e3978d0b732d1cbdcc6251718.zip |
Fix build failure with puppet module due to typeattribute constraint
-rw-r--r-- | sec-policy/selinux-puppet/ChangeLog | 5 | ||||
-rw-r--r-- | sec-policy/selinux-puppet/Manifest | 6 | ||||
-rw-r--r-- | sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch | 90 | ||||
-rw-r--r-- | sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild | 2 |
4 files changed, 99 insertions, 4 deletions
diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-puppet/ChangeLog index f20f80fa..1611f65e 100644 --- a/sec-policy/selinux-puppet/ChangeLog +++ b/sec-policy/selinux-puppet/ChangeLog @@ -2,6 +2,11 @@ # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.3 2011/07/25 23:14:24 blueness Exp $ + 14 Aug 2011; <swift@gentoo.org> +files/fix-services-puppet-r1.patch, + selinux-puppet-2.20110726-r1.ebuild: + Duplicate code so we do not hit seutil_relabelto_bin_policy which causes a + build failure + *selinux-puppet-2.20101213-r3 (25 Jul 2011) *selinux-puppet-2.20101213-r2 (25 Jul 2011) *selinux-puppet-2.20101213-r1 (25 Jul 2011) diff --git a/sec-policy/selinux-puppet/Manifest b/sec-policy/selinux-puppet/Manifest index 2aa07b36..490a2e42 100644 --- a/sec-policy/selinux-puppet/Manifest +++ b/sec-policy/selinux-puppet/Manifest @@ -1,5 +1,5 @@ -DIST patchbundle-selinux-base-policy-2.20110726-r1.tar.bz2 18052 RMD160 cff13706b370498cf7193d968b3bff47a718ed84 SHA1 68dbdf8366068f80b85333ecc8bbc578567218c5 SHA256 ebfb12f861447c8865e28ff5ee06ff0d89f870db3b9745c2b18558772a783023 +AUX fix-services-puppet-r1.patch 3973 RMD160 57a846facd16cb038854f0e33547d947d83c74a7 SHA1 8a91bbeb90f520a165159a71e179d26903fda347 SHA256 8aaf2cd43c38397a31bc46de77b1f91f6d4623a404dfdce9df4f10d11110408e DIST refpolicy-2.20110726.tar.bz2 588033 RMD160 9803effffe1dbb28d52bee03432e052f4fdc8d3f SHA1 cc27b06c3f541d8f2c57c52804ab6893afcd9db2 SHA256 8159b7535aa0f805510e4e3504b1317d7083b227f0ef3df51c6f002ed70ecedb -EBUILD selinux-puppet-2.20110726-r1.ebuild 266 RMD160 5e4739969b332c008ae3231d44ef728387d8758a SHA1 893e90adb4f39b1092860b6fe698170c6297324f SHA256 90ed9e2ad80090f2b878cbc7775cd0f52e56c545cdc1dc40fec1a17db95124c5 -MISC ChangeLog 1031 RMD160 1f254caaaba07cf970f285a78aee80bad979e57d SHA1 14b62185792e01b16c5898d4f36459b9051e5485 SHA256 5e3f7dc5e99db8b8a3e73755e398d2851f76ad19aab38b1e933a468db733f45d +EBUILD selinux-puppet-2.20110726-r1.ebuild 298 RMD160 0179cbf76c5b3da1c3f451533e7a1df59a63d2af SHA1 d93ba35ab5a3d9820beee7c11859b3d780adec3d SHA256 4b09be1e282b63c6d51143899b4f258f73b23e5f1b339aeb7338cb218697a537 +MISC ChangeLog 1235 RMD160 e0d4aae9ba86449e1f30749905db613ac96040e7 SHA1 85bbdd679a840eda1cf93acd835fa26364d1bbaa SHA256 f6501f59e4e8facc9d65859925e299f0e9565e421ae3e704c928aba8255f8ade MISC metadata.xml 230 RMD160 5d5194ac8c13d1c054b3df43791bb3f5544aec02 SHA1 8653f0a6bb377d4a07ff59d75e1f2694b9867c4b SHA256 29b1c0521994399dc36bdc4fac4b4b7d1169b537602be0486896018c744d96cf diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch new file mode 100644 index 00000000..1ee8cd56 --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch @@ -0,0 +1,90 @@ +--- refpolicy-20110726/policy/modules/services/puppet.te 2011-07-26 14:10:40.000000000 +0200 ++++ services/puppet.te 2011-08-14 09:59:37.005000094 +0200 +@@ -50,7 +50,7 @@ + # Puppet personal policy + # + +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +@@ -77,7 +77,8 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + +@@ -130,9 +131,40 @@ + + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) ++sysnet_use_ldap(puppet_t) ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') + + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_auth_files(puppet_t) ++ ++ # We should use files_relabel_all_files here, but it calls ++ # seutil_relabelto_bin_policy which sets a "typeattribute type attr", ++ # which is not allowed within a tunable_policy. ++ # So, we duplicate the content of files_relabel_all_files except for ++ # the policy configuration stuff and hope users do that through Portage. ++ ++ gen_require(` ++ attribute file_type; ++ attribute security_file_type; ++ type policy_config_t; ++ ') ++ ++ allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; ++ relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ # this is only relabelfrom since there should be no ++ # device nodes with file types. ++ relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + ') + + optional_policy(` +@@ -144,6 +176,15 @@ + ') + + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_rc_exec(puppet_t) ++ portage_run(puppet_t, system_r) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +--- refpolicy-20110726/policy/modules/services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-27 18:25:00.571005854 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild index cb1152b4..d5284346 100644 --- a/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild +++ b/sec-policy/selinux-puppet/selinux-puppet-2.20110726-r1.ebuild @@ -5,7 +5,7 @@ EAPI="4" IUSE="" MODS="puppet" -BASEPOL="2.20110726-r1" +POLICY_PATCH="${FILESDIR}/fix-services-puppet-r1.patch" inherit selinux-policy-2 |