From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-commits+bounces-723121-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 918621393DD for <garchives@archives.gentoo.org>; Fri, 15 Aug 2014 16:14:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 20DDEE09F1; Fri, 15 Aug 2014 16:14:53 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 91EADE09F1 for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 16:14:52 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 292E9340549 for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 16:14:51 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id D982F18816 for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 16:14:49 +0000 (UTC) From: "Sven Vermeulen" <swift@gentoo.org> To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org> Message-ID: <1408119037.42eba632f2912d915fe769b02b464d8c3f04fcfb.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/salt.rst X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 42eba632f2912d915fe769b02b464d8c3f04fcfb X-VCS-Branch: master Date: Fri, 15 Aug 2014 16:14:49 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ea69af66-8b38-440c-b7e4-d7ef4cba8b9a X-Archives-Hash: d65d8b385333795455513c5b1a222c8f commit: 42eba632f2912d915fe769b02b464d8c3f04fcfb Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Fri Aug 15 16:10:37 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Aug 15 16:10:37 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42eba632 Add salt policy manual page --- policy/modules/contrib/salt.rst | 166 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst new file mode 100644 index 0000000..5039edf --- /dev/null +++ b/policy/modules/contrib/salt.rst @@ -0,0 +1,166 @@ +============ +salt_selinux +============ + +------------------------------ +SELinux policy module for Salt +------------------------------ + +:Author: Sven Vermeulen <swift@gentoo.org> +:Date: 2013-04-11 +:Manual section: 8 +:Manual group: SELinux + +DESCRIPTION +=========== + +The **salt** SELinux module supports the Salt configuration management (as +offered by Saltstack) tools and resources. + +BOOLEANS +======== + +The following booleans are defined through the **salt** SELinux policy module. +They can be toggled using ``setsebool``, like so:: + + setsebool -P salt_master_read_nfs on + +salt_master_read_nfs + Should be enabled if the Salt state files (SLS) are stored on an NFS mount + +salt_minion_manage_nfs + Should be enabled if the Salt minion needs manage privileges on NFS mounts + +DOMAINS +======= + +salt_master_t +------------- + +The **salt_master_t** domain is used by the Salt master. It is usually launched +by the init script ``salt-master`` although it can also be launched through the +command line command **salt-master -d**. + +This domain is responsible for servicing the Salt minions. Unlike the Salt +minion domain (**salt_minion_t**) the master domain is not very privileged as it +only provides access to the Salt state files. + +salt_minion_t +------------- + +The **salt_minion_t** domain is used by the Salt minion. It is usually launched +by the init script ``salt-minion`` although it can also be launched through the +command line command **salt-minion -d**. + +This domain is responsible for enforcing the state as provided by the Salt +master on the system. This makes the **salt_minion_t** domain a *very +privileged* domain. + +LOCATIONS +========= + +FUNCTIONAL +---------- + +The following list of locations identify file resources that are used by the +Salt domains. They are by default allocated towards the default locations for +Salt, so if you use a different location, you will need to properly address +this. You can do so through ``semanage``, like so:: + + semanage fcontext -a -t salt_sls_t "/var/lib/salt/state(/.*)?" + +The above example marks the */var/lib/salt/state* location as the location where +the Salt state files (``*.sls``) are stored (identified through the +**salt_sls_t** type). + +salt_sls_t + is used for the Salt state files (*/srv/salt*) + +salt_pki_t + is used as the parent directory in which the master and minion keys are stored + (*/etc/salt/pki*) + +salt_master_pki_t + is used for the private and public keys managed by the Salt master + (*/etc/salt/pki/master*) + +salt_minion_pki_t + is used for the private and public keys managed by the Salt minion + (*/etc/salt/pki/minion*) + +EXEUTABLES +---------- + +salt_master_exec_t + is used as entry point for the Salt master (**salt_master_t**) + +salt_minion_exec_t + is used as entry point for the Salt minion (**salt_minion_t**) + +salt_master_initrc_exec_t + is used for the init script to launch the salt master + +salt_minion_initrc_exec_t + is used for the init script to launch the salt minion + +DAEMON FILES +------------ + +salt_cache_t + is used for the parent directory for Salt caches (*/var/cache/salt*) + +salt_master_cache_t + is used to store the Salt master cache (*/var/cache/salt/master*) + +salt_minion_cache_t + is used to store the Salt minion cache (*/var/cache/salt/minion*) + +salt_log_t + is used for the parent directory for Salt log files (*/var/log/salt*) + +salt_master_log_t + is used for the Salt master log file (*/var/log/salt/master*) + +salt_minion_log_t + is used for the Salt minion log file (*/var/log/salt/minion*) + +salt_var_run_t + is used for the parent directory for Salt run-time files (*/var/run/salt*) + +salt_master_var_run_t + is used for the Salt master variable run-time files (*/var/run/salt/master*) + +salt_minion_var_run_t + is used for the Salt minion variable run-time files (*/var/run/salt/minion*) + +CONFIGURATION FILES +------------------- + +salt_etc_t + is used for the Salt configuration (*/etc/salt*) + +POLICY +====== + +The following interfaces can be used to enhance the default policy with +Salt-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. + +Role interfaces +--------------- + +The following role interfaces allow users and roles access to the specified +domains. Only to be used for user domains and roles. + +salt_admin_master + is used for user domains to allow administration of a Salt master environment + +salt_minion_master + is used for user domains to allow administration of a Salt minion environment + +SEE ALSO +======== + +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux +* Gentoo Hardened SELinux Project at + https://wiki.gentoo.org/wiki/Project:Hardened