From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8C2BB13877A for ; Tue, 19 Aug 2014 12:18:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1967CE0A41; Tue, 19 Aug 2014 12:18:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 91D20E0A10 for ; Tue, 19 Aug 2014 12:17:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5DAE2340328 for ; Tue, 19 Aug 2014 12:17:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id B8CE33C11 for ; Tue, 19 Aug 2014 09:19:41 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1408119037.42eba632f2912d915fe769b02b464d8c3f04fcfb.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/salt.rst X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 42eba632f2912d915fe769b02b464d8c3f04fcfb X-VCS-Branch: master Date: Tue, 19 Aug 2014 09:19:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8ab16148-184d-46e0-a023-f4f26575ceb5 X-Archives-Hash: d88fab7bb505c429aa1824129ed017d5 commit: 42eba632f2912d915fe769b02b464d8c3f04fcfb Author: Sven Vermeulen siphos be> AuthorDate: Fri Aug 15 16:10:37 2014 +0000 Commit: Jason Zaman perfinion com> CommitDate: Fri Aug 15 16:10:37 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42eba632 Add salt policy manual page --- policy/modules/contrib/salt.rst | 166 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst new file mode 100644 index 0000000..5039edf --- /dev/null +++ b/policy/modules/contrib/salt.rst @@ -0,0 +1,166 @@ +============ +salt_selinux +============ + +------------------------------ +SELinux policy module for Salt +------------------------------ + +:Author: Sven Vermeulen +:Date: 2013-04-11 +:Manual section: 8 +:Manual group: SELinux + +DESCRIPTION +=========== + +The **salt** SELinux module supports the Salt configuration management (as +offered by Saltstack) tools and resources. + +BOOLEANS +======== + +The following booleans are defined through the **salt** SELinux policy module. +They can be toggled using ``setsebool``, like so:: + + setsebool -P salt_master_read_nfs on + +salt_master_read_nfs + Should be enabled if the Salt state files (SLS) are stored on an NFS mount + +salt_minion_manage_nfs + Should be enabled if the Salt minion needs manage privileges on NFS mounts + +DOMAINS +======= + +salt_master_t +------------- + +The **salt_master_t** domain is used by the Salt master. It is usually launched +by the init script ``salt-master`` although it can also be launched through the +command line command **salt-master -d**. + +This domain is responsible for servicing the Salt minions. Unlike the Salt +minion domain (**salt_minion_t**) the master domain is not very privileged as it +only provides access to the Salt state files. + +salt_minion_t +------------- + +The **salt_minion_t** domain is used by the Salt minion. It is usually launched +by the init script ``salt-minion`` although it can also be launched through the +command line command **salt-minion -d**. + +This domain is responsible for enforcing the state as provided by the Salt +master on the system. This makes the **salt_minion_t** domain a *very +privileged* domain. + +LOCATIONS +========= + +FUNCTIONAL +---------- + +The following list of locations identify file resources that are used by the +Salt domains. They are by default allocated towards the default locations for +Salt, so if you use a different location, you will need to properly address +this. You can do so through ``semanage``, like so:: + + semanage fcontext -a -t salt_sls_t "/var/lib/salt/state(/.*)?" + +The above example marks the */var/lib/salt/state* location as the location where +the Salt state files (``*.sls``) are stored (identified through the +**salt_sls_t** type). + +salt_sls_t + is used for the Salt state files (*/srv/salt*) + +salt_pki_t + is used as the parent directory in which the master and minion keys are stored + (*/etc/salt/pki*) + +salt_master_pki_t + is used for the private and public keys managed by the Salt master + (*/etc/salt/pki/master*) + +salt_minion_pki_t + is used for the private and public keys managed by the Salt minion + (*/etc/salt/pki/minion*) + +EXEUTABLES +---------- + +salt_master_exec_t + is used as entry point for the Salt master (**salt_master_t**) + +salt_minion_exec_t + is used as entry point for the Salt minion (**salt_minion_t**) + +salt_master_initrc_exec_t + is used for the init script to launch the salt master + +salt_minion_initrc_exec_t + is used for the init script to launch the salt minion + +DAEMON FILES +------------ + +salt_cache_t + is used for the parent directory for Salt caches (*/var/cache/salt*) + +salt_master_cache_t + is used to store the Salt master cache (*/var/cache/salt/master*) + +salt_minion_cache_t + is used to store the Salt minion cache (*/var/cache/salt/minion*) + +salt_log_t + is used for the parent directory for Salt log files (*/var/log/salt*) + +salt_master_log_t + is used for the Salt master log file (*/var/log/salt/master*) + +salt_minion_log_t + is used for the Salt minion log file (*/var/log/salt/minion*) + +salt_var_run_t + is used for the parent directory for Salt run-time files (*/var/run/salt*) + +salt_master_var_run_t + is used for the Salt master variable run-time files (*/var/run/salt/master*) + +salt_minion_var_run_t + is used for the Salt minion variable run-time files (*/var/run/salt/minion*) + +CONFIGURATION FILES +------------------- + +salt_etc_t + is used for the Salt configuration (*/etc/salt*) + +POLICY +====== + +The following interfaces can be used to enhance the default policy with +Salt-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. + +Role interfaces +--------------- + +The following role interfaces allow users and roles access to the specified +domains. Only to be used for user domains and roles. + +salt_admin_master + is used for user domains to allow administration of a Salt master environment + +salt_minion_master + is used for user domains to allow administration of a Salt minion environment + +SEE ALSO +======== + +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux +* Gentoo Hardened SELinux Project at + https://wiki.gentoo.org/wiki/Project:Hardened