diff options
Diffstat (limited to 'sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch')
| -rw-r--r-- | sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch new file mode 100644 index 00000000..1ee8cd56 --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch @@ -0,0 +1,90 @@ +--- refpolicy-20110726/policy/modules/services/puppet.te 2011-07-26 14:10:40.000000000 +0200 ++++ services/puppet.te 2011-08-14 09:59:37.005000094 +0200 +@@ -50,7 +50,7 @@ + # Puppet personal policy + # + +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +@@ -77,7 +77,8 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) + + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) + +@@ -130,9 +131,40 @@ + + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) ++sysnet_use_ldap(puppet_t) ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') + + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_auth_files(puppet_t) ++ ++ # We should use files_relabel_all_files here, but it calls ++ # seutil_relabelto_bin_policy which sets a "typeattribute type attr", ++ # which is not allowed within a tunable_policy. ++ # So, we duplicate the content of files_relabel_all_files except for ++ # the policy configuration stuff and hope users do that through Portage. ++ ++ gen_require(` ++ attribute file_type; ++ attribute security_file_type; ++ type policy_config_t; ++ ') ++ ++ allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; ++ relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ # this is only relabelfrom since there should be no ++ # device nodes with file types. ++ relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ++ relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + ') + + optional_policy(` +@@ -144,6 +176,15 @@ + ') + + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_rc_exec(puppet_t) ++ portage_run(puppet_t, system_r) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) + + rpm_domtrans(puppet_t) +--- refpolicy-20110726/policy/modules/services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-27 18:25:00.571005854 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) + ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) |