From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8B3F81381F3 for ; Mon, 17 Dec 2012 16:57:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 48CD921C130; Mon, 17 Dec 2012 16:56:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B21C421C130 for ; Mon, 17 Dec 2012 16:56:54 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6FBA933DB55 for ; Mon, 17 Dec 2012 16:56:53 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 0F4EFE5442 for ; Mon, 17 Dec 2012 16:56:51 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1355763133.4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/portage.if policy/modules/contrib/puppet.te policy/modules/kernel/corenetwork.te.in X-VCS-Directories: policy/modules/contrib/ policy/modules/kernel/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8 X-VCS-Branch: master Date: Mon, 17 Dec 2012 16:56:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dfa2f9e7-744a-4f4e-9bea-3bf2540a82d9 X-Archives-Hash: 7164e5bd81d5fc60724f1731d85a813b commit: 4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8 Author: Sven Vermeulen siphos be> AuthorDate: Mon Dec 17 14:52:46 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Dec 17 16:52:13 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d73fed5 Updates on puppet policy --- policy/modules/contrib/portage.if | 63 +++++++++++++++++++ policy/modules/contrib/puppet.te | 104 +++++++++++++++++++------------ policy/modules/kernel/corenetwork.te.in | 1 + 3 files changed, 129 insertions(+), 39 deletions(-) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index c0051ae..06655e1 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -380,3 +380,66 @@ interface(`portage_eselect_module',` typeattribute $1 portage_eselect_domain; ') +######################################## +## +## Read portage cache files +## +## +## +## Domain allowed access +## +## +# +interface(`portage_read_cache',` + gen_require(` + type portage_cache_t; + ') + + files_search_var($1) + list_dirs_pattern($1, portage_cache_t, portage_cache_t) + read_files_pattern($1, portage_cache_t, portage_cache_t) + read_lnk_files_pattern($1, portage_cache_t, portage_cache_t) +') + +######################################## +## +## Read portage configuration files +## +## +## +## Domain allowed access +## +## +# +interface(`portage_read_config',` + gen_require(` + type portage_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, portage_conf_t, portage_conf_t) + read_files_pattern($1, portage_conf_t, portage_conf_t) + read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) +') + +######################################## +## +## Read portage ebuild files +## +## +## +## Domain allowed access +## +## +# +interface(`portage_read_ebuild',` + gen_require(` + type portage_ebuild_t; + ') + + files_search_usr($1) + list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) + read_files_pattern($1, portage_ebuild_t, portage_ebuild_t) + read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t) +') + diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te index 329562c..ef03f3a 100644 --- a/policy/modules/contrib/puppet.te +++ b/policy/modules/contrib/puppet.te @@ -145,47 +145,8 @@ seutil_domtrans_semanage(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) -ifdef(`distro_gentoo',` - allow puppet_t self:capability chown; - - kernel_read_kernel_sysctls(puppet_t) - kernel_read_network_state(puppet_t) - - sysnet_use_ldap(puppet_t) - - usermanage_domtrans_passwd(puppet_t) - - optional_policy(` - init_exec_rc(puppet_t) - portage_run(puppet_t, system_r) - ') -') - tunable_policy(`puppet_manage_all_files',` files_manage_non_auth_files(puppet_t) - - # We should use files_relabel_all_files here, but it calls - # seutil_relabelto_bin_policy which sets a "typeattribute type attr", - # which is not allowed within a tunable_policy. - # So, we duplicate the content of files_relabel_all_files except for - # the policy configuration stuff and hope users do that through Portage - - gen_require(` - attribute file_type; - attribute security_file_type; - type policy_config_t; - ') - - allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; - relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) ') optional_policy(` @@ -388,4 +349,69 @@ ifdef(`distro_gentoo',` usermanage_check_exec_passwd(puppetmaster_t) usermanage_check_exec_useradd(puppetmaster_t) ') + + ########################################### + # + # Puppet client policy + # + allow puppet_t self:capability chown; + allow puppet_t self:udp_socket create_socket_perms; + allow puppet_t puppet_log_t:file read_file_perms; + + kernel_read_kernel_sysctls(puppet_t) + kernel_read_net_sysctls(puppet_t) + kernel_read_network_state(puppet_t) + + corenet_all_recvfrom_netlabel(puppet_t) + corenet_all_recvfrom_unlabeled(puppet_t) + corenet_tcp_sendrecv_generic_if(puppet_t) + corenet_tcp_sendrecv_generic_node(puppet_t) + corenet_tcp_bind_generic_node(puppet_t) + + corenet_sendrecv_puppetclient_server_packets(puppet_t) + corenet_tcp_bind_puppetclient_port(puppet_t) + corenet_tcp_sendrecv_puppetclient_port(puppet_t) + + files_search_var_lib(puppet_t) + + sysnet_use_ldap(puppet_t) + + usermanage_domtrans_passwd(puppet_t) + + tunable_policy(`puppet_manage_all_files',` + # We should use files_relabel_all_files here, but it calls + # seutil_relabelto_bin_policy which sets a "typeattribute type attr", + # which is not allowed within a tunable_policy. + # So, we duplicate the content of files_relabel_all_files except for + # the policy configuration stuff and hope users do that through Portage + + gen_require(` + attribute file_type; + attribute security_file_type; + type policy_config_t; + ') + + allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; + relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + # this is only relabelfrom since there should be no + # device nodes with file types. + relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + ') + + optional_policy(` + dmidecode_domtrans(puppet_t) + ') + + optional_policy(` + init_exec_rc(puppet_t) + portage_read_cache(puppet_t) + portage_read_config(puppet_t) + portage_read_ebuild(puppet_t) + portage_run(puppet_t, system_r) + ') ') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 8e0ae95..db913e9 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -216,6 +216,7 @@ network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) network_port(puppet, tcp, 8140, s0) +network_port(puppetclient, tcp, 8139, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) network_port(radacct, udp,1646,s0, udp,1813,s0)