From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B38B113877A for ; Fri, 15 Aug 2014 13:39:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E25A0E08A4; Fri, 15 Aug 2014 13:39:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0863CE08A1 for ; Fri, 15 Aug 2014 13:39:32 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A8C743403AB for ; Fri, 15 Aug 2014 13:39:31 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 4955018816 for ; Fri, 15 Aug 2014 13:39:30 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1408109812.ab68207e7d256eb40416d707b31c8cec87e3ca19.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/salt.fc policy/modules/contrib/salt.if policy/modules/contrib/salt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: ab68207e7d256eb40416d707b31c8cec87e3ca19 X-VCS-Branch: salt Date: Fri, 15 Aug 2014 13:39:30 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 5b45e59a-e2f2-48ab-9edc-f6156b034bd4 X-Archives-Hash: 2d9629c4761be03f40fdc4177bb4d37a Message-ID: <20140815133930.MTDa5gR8cEIl0UQRZR1bwsEZXksxlo8AWJYyxi4H-00@z> commit: ab68207e7d256eb40416d707b31c8cec87e3ca19 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 10 18:03:34 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Aug 15 13:36:52 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab68207e Introducing Salt policy Salt (or Staltstack) is a system and configuration management solution, build on Python. This policy introduces support for the salt master (the system managing the configuration repository) and salt minion (the agents on the target systems that pull configuration information from the master). --- policy/modules/contrib/salt.fc | 29 ++++ policy/modules/contrib/salt.if | 88 ++++++++++++ policy/modules/contrib/salt.te | 308 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 425 insertions(+) diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc new file mode 100644 index 0000000..399f5ad --- /dev/null +++ b/policy/modules/contrib/salt.fc @@ -0,0 +1,29 @@ +/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0) +/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0) +/etc/salt/pki/master(/.*)? gen_context(system_u:object_r:salt_master_pki_t,s0) +/etc/salt/pki/minion(/.*)? gen_context(system_u:object_r:salt_minion_pki_t,s0) + +/etc/rc\.d/init\.d/salt-master -- gen_context(system_u:object_r:salt_master_initrc_exec_t,s0) +/etc/rc\.d/init\.d/salt-minion -- gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0) + +/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0) +/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0) + +/usr/bin/salt-master -- gen_context(system_u:object_r:salt_master_exec_t,s0) +/usr/bin/salt-minion -- gen_context(system_u:object_r:salt_minion_exec_t,s0) + +/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0) +/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0) +/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0) + +/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0) +/var/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0) +/var/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0) +/var/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0) +/var/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0) + +/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0) +/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0) +/var/cache/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_cache_t,s0) + +/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0) diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if new file mode 100644 index 0000000..7ab9e6b --- /dev/null +++ b/policy/modules/contrib/salt.if @@ -0,0 +1,88 @@ +## Infrastructure management toolset + +######################################### +## +## All the rules required to administer a salt master environment +## +## +## +## Domain allowed access +## +## +## +## +## Role allowed access +## +## +# +interface(`salt_admin_master',` + gen_require(` + type salt_master_t; + type salt_master_initrc_exec_t; + type salt_master_exec_t; + type salt_etc_t; + type salt_var_run_t; + type salt_master_var_run_t; + attribute_role salt_master_roles; + ') + + allow $1 salt_master_t:process { ptrace signal_perms }; + ps_process_pattern($1, salt_master_t) + + init_labeled_script_domtrans($1, salt_master_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 salt_master_initrc_exec_t system_r; + + # for debugging? + role_transition $2 salt_master_exec_t system_r; + domtrans_pattern($1, salt_master_exec_t, salt_master_t) + + roleattribute $2 salt_master_roles; + + files_list_etc($1) + admin_pattern($1, salt_etc_t, salt_etc_t) + + allow $1 salt_var_run_t:dir search_dir_perms; + stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t) +') + +######################################### +## +## All the rules required to administer a salt minion environment +## +## +## +## Domain allowed access +## +## +## +## +## Role allowed access +## +## +# +interface(`salt_admin_minion',` + gen_require(` + type salt_minion_t; + type salt_minion_initrc_exec_t; + type salt_minion_exec_t; + type salt_etc_t; + attribute_role salt_minion_roles; + ') + + allow $1 salt_minion_t:process { ptrace signal_perms }; + ps_process_pattern($1, salt_minion_t) + + init_labeled_script_domtrans($1, salt_minion_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 salt_minion_initrc_exec_t system_r; + + # for debugging + role_transition $2 salt_minion_exec_t system_r; + domtrans_pattern($1, salt_minion_exec_t, salt_minion_t) + + roleattribute $2 salt_minion_roles; + + files_list_etc($1) + admin_pattern($1, salt_etc_t, salt_etc_t) +') diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te new file mode 100644 index 0000000..b8cc1a4 --- /dev/null +++ b/policy/modules/contrib/salt.te @@ -0,0 +1,308 @@ +policy_module(salt, 1.0) + +######################################### +# +# Declarations +# + +## +##

+## Determine wether the salt master can read NFS files +##

+## +gen_tunable(salt_master_read_nfs, false) + +## +##

+## Determine wether the salt minion can manage NFS files +##

+## +gen_tunable(salt_minion_manage_nfs, false) + +attribute_role salt_master_roles; +roleattribute system_r salt_master_roles; + +attribute_role salt_minion_roles; +roleattribute system_r salt_minion_roles; + +type salt_master_t; +type salt_master_exec_t; +init_daemon_domain(salt_master_t, salt_master_exec_t) +role salt_master_roles types salt_master_t; + +type salt_master_cache_t; +files_type(salt_master_cache_t) + +type salt_master_initrc_exec_t; +init_script_file(salt_master_initrc_exec_t) + +type salt_master_log_t; +logging_log_file(salt_master_log_t) + +type salt_master_pki_t; +files_type(salt_master_pki_t) + +type salt_master_tmp_t; +files_tmp_file(salt_master_tmp_t) + +type salt_master_var_run_t; +init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid") +files_pid_file(salt_master_var_run_t) + +type salt_minion_t; +type salt_minion_exec_t; +init_daemon_domain(salt_minion_t, salt_minion_exec_t) +role salt_minion_roles types salt_minion_t; + +type salt_minion_cache_t; +files_type(salt_minion_cache_t) + +type salt_minion_initrc_exec_t; +init_script_file(salt_minion_initrc_exec_t) + +type salt_minion_log_t; +logging_log_file(salt_minion_log_t) + +type salt_minion_pki_t; +files_type(salt_minion_pki_t) + +type salt_minion_tmp_t; +files_tmp_file(salt_minion_tmp_t) + +type salt_minion_var_run_t; +init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid") +files_pid_file(salt_minion_var_run_t) + +type salt_cache_t; +files_type(salt_cache_t) + +type salt_etc_t; +files_config_file(salt_etc_t) + +type salt_log_t; +logging_log_file(salt_log_t) + +type salt_sls_t; +files_type(salt_sls_t) + +type salt_pki_t; +files_type(salt_pki_t) + +type salt_var_run_t; +files_pid_file(salt_var_run_t) + +######################################### +# +# salt_master_t policy +# + +allow salt_master_t self:capability { net_admin sys_admin sys_tty_config }; +allow salt_master_t self:capability2 block_suspend; +allow salt_master_t self:process signal; +allow salt_master_t self:tcp_socket create_stream_socket_perms; +allow salt_master_t self:udp_socket create_socket_perms; +allow salt_master_t self:fifo_file rw_fifo_file_perms; +allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms; +allow salt_master_t self:unix_stream_socket connectto; +allow salt_master_t self:unix_dgram_socket create_socket_perms; + +# salt_cache_t +allow salt_master_t salt_cache_t:dir create_dir_perms; +files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt") + +# salt_etc_t +read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t) +list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t) + +# salt_log_t +allow salt_master_t salt_log_t:dir create_dir_perms; +logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt") + +# salt_master_cache_t +manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t) +allow salt_master_t salt_master_cache_t:file manage_file_perms; +filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master") + +# salt_master_log_t +manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t) +manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t) +filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir }) + +# salt_master_pki_t +manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t) +allow salt_master_t salt_master_pki_t:file manage_file_perms; +filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master") + +# salt_master_tmp_t +manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t) +manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t) +files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir }) +# libffi, screw you +can_exec(salt_master_t, salt_master_tmp_t) + +# salt_master_var_run_t +allow salt_master_t salt_master_var_run_t:file manage_file_perms; +allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms; +manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t) +filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir) + +# salt_pki_t +create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t) +filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki") + +# salt_sls_t +read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t) +allow salt_master_t salt_sls_t:dir list_dir_perms; + +# salt_var_run_t +allow salt_master_t salt_var_run_t:dir create_dir_perms; +files_pid_filetrans(salt_master_t, salt_var_run_t, dir) +files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid") + +kernel_read_network_state(salt_master_t) +kernel_read_system_state(salt_master_t) + +corecmd_exec_bin(salt_master_t) +corecmd_exec_shell(salt_master_t) + +corenet_tcp_bind_generic_node(salt_master_t) +corenet_tcp_bind_salt_port(salt_master_t) + +dev_read_sysfs(salt_master_t) + +domain_dontaudit_exec_all_entry_files(salt_master_t) +domain_dontaudit_search_all_domains_state(salt_master_t) +domain_use_interactive_fds(salt_master_t) + +files_dontaudit_search_all_dirs(salt_master_t) +files_read_etc_files(salt_master_t) +files_read_usr_files(salt_master_t) + +getty_use_fds(salt_master_t) + +miscfiles_read_localization(salt_master_t) + +sysnet_exec_ifconfig(salt_master_t) +sysnet_read_config(salt_master_t) + +userdom_dontaudit_list_user_home_dirs(salt_master_t) +userdom_use_user_terminals(salt_master_t) + +tunable_policy(`salt_master_read_nfs',` + fs_read_nfs_files(salt_master_t) +') + + +######################################### +# +# salt_minion_t policy +# + +allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config }; +allow salt_minion_t self:capability2 block_suspend; +allow salt_minion_t self:process { signull }; +allow salt_minion_t self:tcp_socket create_stream_socket_perms; +allow salt_minion_t self:udp_socket create_socket_perms; +allow salt_minion_t self:unix_dgram_socket create_socket_perms; +allow salt_minion_t self:fifo_file rw_fifo_file_perms; +allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms; +allow salt_minion_t self:unix_stream_socket connectto; + +# salt_cache_t +allow salt_minion_t salt_cache_t:dir create_dir_perms; +files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt") + +# salt_etc_t +read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t) +list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t) + +# salt_log_t +allow salt_minion_t salt_log_t:dir create_dir_perms; +logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt") + +# salt_minion_cache_t +manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t) +allow salt_minion_t salt_minion_cache_t:file manage_file_perms; +filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion") + +# salt_minion_log_t +manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t) +manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t) +filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir }) + +# salt_minion_pki_t +manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t) +allow salt_minion_t salt_minion_pki_t:file manage_file_perms; +filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion") + +# salt_minion_tmp_t +manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t) +manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t) +files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir }) +# libffi, screw you +can_exec(salt_minion_t, salt_minion_tmp_t) + +# salt_minion_var_run_t +allow salt_minion_t salt_minion_var_run_t:file manage_file_perms; +allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms; +manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t) +filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir) + +# salt_pki_t +create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t) +filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki") + +# salt_var_run_t +allow salt_minion_t salt_var_run_t:dir create_dir_perms; +files_pid_filetrans(salt_minion_t, salt_var_run_t, dir) +files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid") + +kernel_read_network_state(salt_minion_t) +kernel_read_system_state(salt_minion_t) +kernel_rw_all_sysctls(salt_minion_t) + +corecmd_exec_bin(salt_minion_t) +corecmd_exec_shell(salt_minion_t) + +corenet_tcp_connect_salt_port(salt_minion_t) + +dev_read_sysfs(salt_minion_t) + +domain_dontaudit_exec_all_entry_files(salt_minion_t) +domain_dontaudit_search_all_domains_state(salt_minion_t) + +files_manage_all_non_security_file_types(salt_minion_t) + +fs_getattr_all_fs(salt_minion_t) + +getty_use_fds(salt_minion_t) + +miscfiles_read_localization(salt_minion_t) + +sysnet_exec_ifconfig(salt_minion_t) +sysnet_read_config(salt_minion_t) + +userdom_dontaudit_list_user_home_dirs(salt_minion_t) +userdom_use_user_terminals(salt_minion_t) + +optional_policy(` + auth_read_shadow(salt_minion_t) +') + +optional_policy(` + mount_domtrans(salt_minion_t) +') + +optional_policy(` + portage_run(salt_minion_t, salt_minion_roles) +') + +optional_policy(` + usermanage_run_groupadd(salt_minion_t, salt_minion_roles) + usermanage_run_passwd(salt_minion_t, salt_minion_roles) + usermanage_run_useradd(salt_minion_t, salt_minion_roles) +') + +tunable_policy(`salt_minion_manage_nfs',` + fs_manage_nfs_files(salt_master_t) +')