From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
Date: Mon, 17 Dec 2012 16:56:51 +0000 (UTC) [thread overview]
Message-ID: <1355763133.4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8.SwifT@gentoo> (raw)
commit: 4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 14:52:46 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 17 16:52:13 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d73fed5
Updates on puppet policy
---
policy/modules/contrib/portage.if | 63 +++++++++++++++++++
policy/modules/contrib/puppet.te | 104 +++++++++++++++++++------------
policy/modules/kernel/corenetwork.te.in | 1 +
3 files changed, 129 insertions(+), 39 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c0051ae..06655e1 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -380,3 +380,66 @@ interface(`portage_eselect_module',`
typeattribute $1 portage_eselect_domain;
')
+########################################
+## <summary>
+## Read portage cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_cache',`
+ gen_require(`
+ type portage_cache_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, portage_cache_t, portage_cache_t)
+ read_files_pattern($1, portage_cache_t, portage_cache_t)
+ read_lnk_files_pattern($1, portage_cache_t, portage_cache_t)
+')
+
+########################################
+## <summary>
+## Read portage configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_config',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, portage_conf_t, portage_conf_t)
+ read_files_pattern($1, portage_conf_t, portage_conf_t)
+ read_lnk_files_pattern($1, portage_conf_t, portage_conf_t)
+')
+
+########################################
+## <summary>
+## Read portage ebuild files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_ebuild',`
+ gen_require(`
+ type portage_ebuild_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t)
+ read_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
+ read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
+')
+
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 329562c..ef03f3a 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -145,47 +145,8 @@ seutil_domtrans_semanage(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
-ifdef(`distro_gentoo',`
- allow puppet_t self:capability chown;
-
- kernel_read_kernel_sysctls(puppet_t)
- kernel_read_network_state(puppet_t)
-
- sysnet_use_ldap(puppet_t)
-
- usermanage_domtrans_passwd(puppet_t)
-
- optional_policy(`
- init_exec_rc(puppet_t)
- portage_run(puppet_t, system_r)
- ')
-')
-
tunable_policy(`puppet_manage_all_files',`
files_manage_non_auth_files(puppet_t)
-
- # We should use files_relabel_all_files here, but it calls
- # seutil_relabelto_bin_policy which sets a "typeattribute type attr",
- # which is not allowed within a tunable_policy.
- # So, we duplicate the content of files_relabel_all_files except for
- # the policy configuration stuff and hope users do that through Portage
-
- gen_require(`
- attribute file_type;
- attribute security_file_type;
- type policy_config_t;
- ')
-
- allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
')
optional_policy(`
@@ -388,4 +349,69 @@ ifdef(`distro_gentoo',`
usermanage_check_exec_passwd(puppetmaster_t)
usermanage_check_exec_useradd(puppetmaster_t)
')
+
+ ###########################################
+ #
+ # Puppet client policy
+ #
+ allow puppet_t self:capability chown;
+ allow puppet_t self:udp_socket create_socket_perms;
+ allow puppet_t puppet_log_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls(puppet_t)
+ kernel_read_net_sysctls(puppet_t)
+ kernel_read_network_state(puppet_t)
+
+ corenet_all_recvfrom_netlabel(puppet_t)
+ corenet_all_recvfrom_unlabeled(puppet_t)
+ corenet_tcp_sendrecv_generic_if(puppet_t)
+ corenet_tcp_sendrecv_generic_node(puppet_t)
+ corenet_tcp_bind_generic_node(puppet_t)
+
+ corenet_sendrecv_puppetclient_server_packets(puppet_t)
+ corenet_tcp_bind_puppetclient_port(puppet_t)
+ corenet_tcp_sendrecv_puppetclient_port(puppet_t)
+
+ files_search_var_lib(puppet_t)
+
+ sysnet_use_ldap(puppet_t)
+
+ usermanage_domtrans_passwd(puppet_t)
+
+ tunable_policy(`puppet_manage_all_files',`
+ # We should use files_relabel_all_files here, but it calls
+ # seutil_relabelto_bin_policy which sets a "typeattribute type attr",
+ # which is not allowed within a tunable_policy.
+ # So, we duplicate the content of files_relabel_all_files except for
+ # the policy configuration stuff and hope users do that through Portage
+
+ gen_require(`
+ attribute file_type;
+ attribute security_file_type;
+ type policy_config_t;
+ ')
+
+ allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ # this is only relabelfrom since there should be no
+ # device nodes with file types.
+ relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ ')
+
+ optional_policy(`
+ dmidecode_domtrans(puppet_t)
+ ')
+
+ optional_policy(`
+ init_exec_rc(puppet_t)
+ portage_read_cache(puppet_t)
+ portage_read_config(puppet_t)
+ portage_read_ebuild(puppet_t)
+ portage_run(puppet_t, system_r)
+ ')
')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8e0ae95..db913e9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -216,6 +216,7 @@ network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
+network_port(puppetclient, tcp, 8139, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
next reply other threads:[~2012-12-17 16:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-17 16:56 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/, policy/modules/kernel/ Sven Vermeulen
2014-11-22 17:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2012-10-28 18:01 Sven Vermeulen
2012-08-08 19:37 Sven Vermeulen
2012-07-26 19:23 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355763133.4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox