[refpolicy] puppet.patch - updated

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] puppet.patch - updated
Date: Tue, 8 Sep 2009 12:28:07 +0200	[thread overview]
Message-ID: <20090908102804.GA10519@notebook3.grift.internal> (raw)
In-Reply-To: <832FE86D-3F2E-446E-BA8F-BF2D200FB473@cobham.com>

On Mon, Sep 07, 2009 at 02:39:08PM -0400, Craig Grube wrote:
> On Sep 6, 2009, at 12:23 PM, Dominick Grift wrote:
> > On Sun, Sep 06, 2009 at 12:15:43PM -0400, Craig Grube wrote:
> >> I tested the policy and attached a modified version that mostly  
> >> works.
> >> The main issue I encountered was puppetmaster's level of access to  
> >> types
> >> puppet_var_run_t, puppet_var_lib_t, puppet_tmp_t were  
> >> insufficient.  I
> >> replicated puppet's accesses for puppetmaster and it works.
> >
> > So who owns these files? puppet or puppetmaster? Do they both create  
> > them (both own them?)
> 
> The short answer is they both create and own these files.
> 
> The long answer the client and server typically both use the same  
> paths.  It looks as though in Fedora, Gentoo and SUSE pid files are  
> in /var/run/puppet/ (based on distribution specific configuration  
> files in the puppet source repository).  The same for /var/log/ 
> puppet.  The client and server both use /var/lib/puppet for storing  
> state information. Puppetmaster stores CA related files, client  
> certificates, parsed client configurations. Puppet stores  
> certificates, last retrieved configuration, and backups of changed  
> files.
> 
> For the distributions I've looked at, ubuntu and fedora, the client  
> package is a dependency of the server package, which was part of my  
> reasoning for associating shared areas of the file system with the  
> puppet client and then provide the puppetmaster with access.

I see. But the permissions in those location can probably still be tightened. Do they really need to create dirs? or are those dirs already installed by the rpm package?
> 
> >> For puppet:
> >> 	- Appears to redirect output (not sure at this point if stderr or
> >> stdout) from system utilities to /dev/null which results in AVCs like
> >> this:
> >>
> >> type=AVC msg=audit(1252178670.560:136): avc:  denied  { use } for
> >> pid=1694 comm="modprobe" path="/dev/null" dev=tmpfs ino=400
> >> scontext=system_u:system_r:insmod_t  
> >> tcontext=system_u:system_r:puppet_t
> >> tclass=fd
> >>
> >> I am seening these for insmod_t, ldconfig_t, initrc_t, and  
> >> rpm_script_t.
> >> I had a 'dontaudit domain puppet_t:fd use'  to squash these AVCs,  
> >> which
> >> does not appear from my testing to negatively effect puppet.
> > ok if required i guessno harm in adding it. however is there no  
> > interface available that you can use?
> > check the domain interface file for that
> 
> I did not notice these before, but does is seem reasonable to use  
> domain_interactive_fd(puppet_t) in the puppet policy and add  
> domain_use_interactive_fds in the modules controlling the before  
> mentioned types?

Yes my bet is that using that interface is the better solution and if required should be called in the modules that needs it.`:
> 
> Craig
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090908/8f5d387f/attachment.bin