* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
0 siblings, 1 reply; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: a8a604e6b7c53c08233875c2c2163f794a62cb6c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:35 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:24 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8a604e6
Use fs_search_tmpfs, not files_search_tmpfs
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/tgtd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
index 5406b6e..dc5b46e 100644
--- a/policy/modules/contrib/tgtd.if
+++ b/policy/modules/contrib/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
- files_search_tmpfs($1)
+ fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 14:51 Sven Vermeulen
2014-08-15 13:39 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
0 siblings, 1 reply; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 14:51 UTC (permalink / raw
To: gentoo-commits
commit: ab68207e7d256eb40416d707b31c8cec87e3ca19
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 13:36:52 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab68207e
Introducing Salt policy
Salt (or Staltstack) is a system and configuration management solution,
build on Python. This policy introduces support for the salt master (the
system managing the configuration repository) and salt minion (the
agents on the target systems that pull configuration information from
the master).
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 308 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 425 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..b8cc1a4
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,308 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+corenet_tcp_bind_salt_port(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+domain_use_interactive_fds(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+userdom_use_user_terminals(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+corenet_tcp_connect_salt_port(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+userdom_use_user_terminals(salt_minion_t)
+
+optional_policy(`
+ auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+ mount_domtrans(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+ usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+ usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+ usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
2014-08-15 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-08-15 13:39 ` Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 13:39 UTC (permalink / raw
To: gentoo-commits
commit: ab68207e7d256eb40416d707b31c8cec87e3ca19
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 13:36:52 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab68207e
Introducing Salt policy
Salt (or Staltstack) is a system and configuration management solution,
build on Python. This policy introduces support for the salt master (the
system managing the configuration repository) and salt minion (the
agents on the target systems that pull configuration information from
the master).
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 308 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 425 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..b8cc1a4
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,308 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+corenet_tcp_bind_salt_port(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+domain_use_interactive_fds(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+userdom_use_user_terminals(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+corenet_tcp_connect_salt_port(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+userdom_use_user_terminals(salt_minion_t)
+
+optional_policy(`
+ auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+ mount_domtrans(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+ usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+ usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+ usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 11:51 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 11:51 UTC (permalink / raw
To: gentoo-commits
commit: a9afa8e22feb6f7102d0c2c3b0199f5343d179b7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 11:50:57 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a9afa8e2
Salt policy
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 315 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 432 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..ba10e45
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,315 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_use_interactive_fds(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+optional_policy(`
+ auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+ usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+ usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+ usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 11:12 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 11:12 UTC (permalink / raw
To: gentoo-commits
commit: 042e95026dfacdb860cc9ff5aa3158c13adf9521
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 11:12:44 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=042e9502
Salt policy
---
policy/modules/contrib/salt.fc | 29 ++++
policy/modules/contrib/salt.if | 88 ++++++++++++
policy/modules/contrib/salt.te | 304 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 421 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..089e038
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,304 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt master can read NFS files
+## </p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage NFS files
+## </p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_use_interactive_fds(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+ fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+ fs_manage_nfs_files(salt_master_t)
+')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:40 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:40 UTC (permalink / raw
To: gentoo-commits
commit: 65a238f2432caf176b7a27b332622aa810bfaf9f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 10:40:16 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65a238f2
Salt policy
---
policy/modules/contrib/salt.fc | 29 +++++
policy/modules/contrib/salt.if | 88 +++++++++++++
policy/modules/contrib/salt.te | 289 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 406 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..35dc162
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,289 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage nfs files
+## </p>
+## </desc>
+gen_tunable(salt_minion_use_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+tunable_policy(`salt_minion_use_nfs',`
+ fs_manage_nfs_files(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e31155f9bf68278c101c127753e3b8dd6ca3d8f5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 10:04:11 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e31155f9
Salt policy
---
policy/modules/contrib/salt.fc | 26 ++++
policy/modules/contrib/salt.if | 88 +++++++++++++
policy/modules/contrib/salt.te | 289 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 403 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..7303aea
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,26 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..35dc162
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,289 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage nfs files
+## </p>
+## </desc>
+gen_tunable(salt_minion_use_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+tunable_policy(`salt_minion_use_nfs',`
+ fs_manage_nfs_files(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e5681b29db2df81a124b2a985a5a5e2eb816a03e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:36 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5681b29
Use domain_auto_trans, not auto_trans
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/rsync.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
index f1140ef..431471b 100644
--- a/policy/modules/contrib/rsync.if
+++ b/policy/modules/contrib/rsync.if
@@ -50,7 +50,7 @@ interface(`rsync_entry_spec_domtrans',`
')
corecmd_search_bin($1)
- auto_trans($1, rsync_exec_t, $2)
+ domain_auto_trans($1, rsync_exec_t, $2)
')
########################################
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 66fc9340b109959940eadb002d999692fd015f0b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:22 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66fc9340
Use corecmd_search_bin, not corecmd_searh_bin
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/nslcd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/nslcd.if b/policy/modules/contrib/nslcd.if
index 97df768..bbd7cac 100644
--- a/policy/modules/contrib/nslcd.if
+++ b/policy/modules/contrib/nslcd.if
@@ -15,7 +15,7 @@ interface(`nslcd_domtrans',`
type nslcd_t, nslcd_exec_t;
')
- corecmd_searh_bin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
')
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: e6b8fdd44731878c345840a48e22b327d3448ad5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:30 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:14 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e6b8fdd4
Use logging_search_logs, not logging_search_log
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/zarafa.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if
index 36e32df..83b4ca5 100644
--- a/policy/modules/contrib/zarafa.if
+++ b/policy/modules/contrib/zarafa.if
@@ -163,7 +163,7 @@ interface(`zarafa_admin',`
files_search_tmp($1)
admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
- logging_search_log($1)
+ logging_search_logs($1)
admin_pattern($1, zarafa_logfile)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: d6c241709eb5baee3636d37cee336a20b53c2e34
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:31 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:16 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d6c24170
Use files_search_etc, not logging_search_etc
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/monop.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/monop.if b/policy/modules/contrib/monop.if
index 8fdaece..a6ec137 100644
--- a/policy/modules/contrib/monop.if
+++ b/policy/modules/contrib/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ files_search_etc($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
0 siblings, 1 reply; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: b80b32ff3c17ebae80a24c934c6a3a4b31327b5b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:32 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:18 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b80b32ff
Use files_search_etc, not logging_search_etc
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/networkmanager.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if
index 5bf874a..5aced8c 100644
--- a/policy/modules/contrib/networkmanager.if
+++ b/policy/modules/contrib/networkmanager.if
@@ -302,7 +302,7 @@ interface(`networkmanager_admin',`
role_transition $2 NetworkManager_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ files_search_etc($1)
admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
logging_search_logs($1)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
0 siblings, 1 reply; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: 15349d3803e89122716e327fb230f1e0f0711b9a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:29 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:13 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15349d38
Use logging_search_logs, not logging_search_log
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/ircd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ircd.if b/policy/modules/contrib/ircd.if
index ade9803..1a88664 100644
--- a/policy/modules/contrib/ircd.if
+++ b/policy/modules/contrib/ircd.if
@@ -34,7 +34,7 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
- logging_search_log($1)
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
@ 2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
0 siblings, 1 reply; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
To: gentoo-commits
commit: ab2ca5bcad85bbba8d53b4edf4d459f52a5ca512
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 8 12:16:33 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:19 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab2ca5bc
Use files_search_etc, not files_search_config
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/smstools.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/smstools.if b/policy/modules/contrib/smstools.if
index cbfe369..81136f0 100644
--- a/policy/modules/contrib/smstools.if
+++ b/policy/modules/contrib/smstools.if
@@ -32,7 +32,7 @@ interface(`smstools_admin',`
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_config($1)
+ files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-14 19:10 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-14 19:10 UTC (permalink / raw
To: gentoo-commits
commit: deed6e84dd9f2a5695b1e9869bf5cd29b2703b69
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 14 19:10:31 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=deed6e84
Salt policy
---
policy/modules/contrib/salt.fc | 26 ++++
policy/modules/contrib/salt.if | 88 +++++++++++++
policy/modules/contrib/salt.te | 289 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 403 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..7303aea
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,26 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..35dc162
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,289 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage nfs files
+## </p>
+## </desc>
+gen_tunable(salt_minion_use_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+tunable_policy(`salt_minion_use_nfs',`
+ fs_manage_nfs_files(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
@ 2014-08-14 18:58 Sven Vermeulen
0 siblings, 0 replies; 16+ messages in thread
From: Sven Vermeulen @ 2014-08-14 18:58 UTC (permalink / raw
To: gentoo-commits
commit: c9e25370de85a603017aab9c3fd583fc1ad8e322
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 14 18:48:18 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c9e25370
Salt policy
---
policy/modules/contrib/salt.fc | 26 ++++
policy/modules/contrib/salt.if | 87 +++++++++++++
policy/modules/contrib/salt.te | 289 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 402 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..7303aea
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,26 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+
+/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7776aaf
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,87 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..35dc162
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,289 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage nfs files
+## </p>
+## </desc>
+gen_tunable(salt_minion_use_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+tunable_policy(`salt_minion_use_nfs',`
+ fs_manage_nfs_files(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
^ permalink raw reply related [flat|nested] 16+ messages in thread
end of thread, other threads:[~2014-08-15 13:39 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2014-08-15 14:51 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 13:39 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 11:51 Sven Vermeulen
2014-08-15 11:12 Sven Vermeulen
2014-08-15 10:40 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-14 19:10 Sven Vermeulen
2014-08-14 18:58 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox