From mboxrd@z Thu Jan 1 00:00:00 1970 From: domg472@gmail.com (Dominick Grift) Date: Thu, 27 Aug 2009 12:31:09 +0200 Subject: [refpolicy] puppet.patch In-Reply-To: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com> References: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com> Message-ID: <20090827103107.GA2495@notebook3.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 26, 2009 at 07:45:55PM -0400, Grube, Craig wrote: > > The attached patch contains policy for Puppet, a configuration management tool. It contains two new services, for the client and server components of Puppet, and adds a new network port type for Puppet's use. > > If any changes are desired please let me know and I will provide updated patches as my schedule permits. > > Craig It looks like you've designed this policy on RHEL5 or some older implementation of selinux-policy. I'am do not have any authority here and i am not a professional but i still took the liberty to look over your policy and make some comments in the hope you find it useful: +/etc/rc.d/init.d/puppet -- gen_context(system_u:object_r:initrc_exec_t,s0) should be: /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetd_initrc_exec_t, s0) type puppetd_initrc_exec_t; init_script_file(puppetd_initrc_exec_t) # END domain_type(puppet_t) Should be: Removed this is included in init_daemon_domain(puppet_t, puppet_exec_t) # END +## load libraries +libs_use_ld_so(puppet_t) +libs_use_shared_libs(puppet_t) +libs_exec_lib_files(puppet_t) Should be: Not required anymore # END +## allow client to bind and send data on high ports +corenet_all_recvfrom_unlabeled(puppet_t) +corenet_tcp_sendrecv_all_ports(puppet_t) should be: This is incomplete # END > > -- > Craig Grube allow puppet_t self:fifo_file { read write getattr ioctl }; Should be: use permission sets where ever possible: allow puppet_t self:fifo_file rw_fifo_file_perms; # END +corecmd_bin_entry_type(puppet_t) Should be: i dont think this is required # END +rpm_run(puppet_t,system_r) Should be: why not rpm_domtrans() # END +/etc/rc.d/init.d/puppetmaster -- gen_context(system_u:object_r:initrc_exec_t,s0) Should be: see above # END +interface(`puppet_run_semanage',` should be: is not allowed # END +interface(`puppet_run_setsebool',` should be: is not allowed # END files_pid_filetrans($1,puppet_var_run_t, { file }) Should be: Also dirs are managed # END + allow $1 puppet_tmp_t:file { read write ioctl }; should be: rw_file_perms # END ## Policy for puppet client should be: Description missing # END +interface(`puppet_init_scripts_domtrans',` should be: not allowed # END allow puppet_t self:capability { sys_admin fowner fsetid setuid setgid sys_rawio dac_override sys_nice sys_ptrace sys_tty_config }; Comment: is that really required? > Sparta, Inc. dba Cobham Analytic Solutions > Craig.Grube at cobham.com > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090827/b4535df7/attachment.bin