From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QjypI-0001Dd-So for garchives@archives.gentoo.org; Thu, 21 Jul 2011 19:22:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E48B221C516; Thu, 21 Jul 2011 19:22:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id A848C21C516 for ; Thu, 21 Jul 2011 19:22:01 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 580551B4014 for ; Thu, 21 Jul 2011 19:22:00 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id A43D38003F for ; Thu, 21 Jul 2011 19:21:59 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <712685c6e239a535dce181b848623f76535dc8de.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-puppet/files/, sec-policy/selinux-puppet/ X-VCS-Repository: proj/hardened-dev X-VCS-Files: sec-policy/selinux-puppet/ChangeLog sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild X-VCS-Directories: sec-policy/selinux-puppet/files/ sec-policy/selinux-puppet/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 712685c6e239a535dce181b848623f76535dc8de Date: Thu, 21 Jul 2011 19:21:59 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 402a8f57f845a0b1b6467482632967b9 commit: 712685c6e239a535dce181b848623f76535dc8de Author: Sven Vermeulen siphos be> AuthorDate: Thu Jul 21 19:18:34 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Jul 21 19:18:34 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-dev.= git;a=3Dcommit;h=3D712685c6 Revert initrc hack from puppet r1 --- sec-policy/selinux-puppet/ChangeLog | 6 + .../files/fix-services-puppet-r2.patch | 97 ++++++++++++++= ++++++ .../selinux-puppet-2.20101213-r2.ebuild | 18 ++++ 3 files changed, 121 insertions(+), 0 deletions(-) diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-pup= pet/ChangeLog index d56ea3d..32c95e6 100644 --- a/sec-policy/selinux-puppet/ChangeLog +++ b/sec-policy/selinux-puppet/ChangeLog @@ -2,6 +2,12 @@ # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v= 1.2 2011/06/02 12:49:09 blueness Exp $ =20 +*selinux-puppet-2.20101213-r2 (21 Jul 2011) + + 21 Jul 2011; +files/fix-services-puppet-r2.patch, + +selinux-puppet-2.20101213-r2.ebuild: + Revert ugly initrc hack introduced in r1 + *selinux-puppet-2.20101213-r1 (11 Jul 2011) =20 11 Jul 2011; +files/fix-services-puppet-r1.patch, diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch= b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch new file mode 100644 index 0000000..fb82d35 --- /dev/null +++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch @@ -0,0 +1,97 @@ +--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.te 2011-07-21 11:15:55.552000371 +0200 +@@ -17,6 +17,9 @@ + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) +=20 ++#type puppet_initrc_notrans_t; ++#role system_r types puppet_initrc_notrans_t; ++ + type puppet_etc_t; + files_config_file(puppet_etc_t) +=20 +@@ -50,7 +53,7 @@ + # Puppet personal policy + # +=20 +-allow puppet_t self:capability { fowner fsetid setuid setgid dac_overri= de sys_nice sys_ptrace sys_tty_config }; ++allow puppet_t self:capability { fowner fsetid setuid setgid dac_overri= de sys_nice sys_ptrace sys_tty_config chown }; + allow puppet_t self:process { signal signull getsched setsched }; + allow puppet_t self:fifo_file rw_fifo_file_perms; + allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +@@ -77,7 +80,9 @@ + files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +=20 + kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) ++#kernel_dontaudit_search_kernel_sysctl(puppet_t) ++kernel_read_kernel_sysctls(puppet_t) ++kernel_read_network_state(puppet_t) + kernel_read_system_state(puppet_t) + kernel_read_crypto_sysctls(puppet_t) +=20 +@@ -115,6 +120,9 @@ + term_dontaudit_getattr_unallocated_ttys(puppet_t) + term_dontaudit_getattr_all_ttys(puppet_t) +=20 ++ ++## system modules ++ + init_all_labeled_script_domtrans(puppet_t) + init_domtrans_script(puppet_t) + init_read_utmp(puppet_t) +@@ -125,12 +133,26 @@ + miscfiles_read_hwdata(puppet_t) + miscfiles_read_localization(puppet_t) +=20 ++mount_domtrans(puppet_t) ++ + seutil_domtrans_setfiles(puppet_t) + seutil_domtrans_semanage(puppet_t) +=20 + sysnet_dns_name_resolve(puppet_t) + sysnet_run_ifconfig(puppet_t, system_r) +=20 ++## Other modules ++ ++ ++usermanage_domtrans_passwd(puppet_t) ++ ++tunable_policy(`gentoo_try_dontaudit',` ++ dontaudit puppet_t self:capability dac_read_search; ++ #kernel_dontaudit_read_system_state(puppet_initrc_notrans_t) ++ userdom_dontaudit_use_user_terminals(puppet_t) ++') ++ ++ + tunable_policy(`puppet_manage_all_files',` + auth_manage_all_files_except_shadow(puppet_t) + ') +@@ -144,6 +166,15 @@ + ') +=20 + optional_policy(` ++ mta_send_mail(puppet_t) ++') ++ ++optional_policy(` ++ gentoo_init_rc_exec(puppet_t) ++ portage_domtrans(puppet_t) ++') ++ ++optional_policy(` + files_rw_var_files(puppet_t) +=20 + rpm_domtrans(puppet_t) +--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200 ++++ services/puppet.fc 2011-07-21 10:08:43.240000256 +0200 +@@ -3,7 +3,9 @@ + /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initr= c_exec_t,s0) + /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppet= master_initrc_exec_t,s0) +=20 ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) + /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_e= xec_t,s0) + /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_= exec_t,s0) +=20 + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,= s0) diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuil= d b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild new file mode 100644 index 0000000..c086eab --- /dev/null +++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-pup= pet-2.20101213.ebuild,v 1.2 2011/06/02 12:49:09 blueness Exp $ + +IUSE=3D"" + +MODS=3D"puppet" + +inherit selinux-policy-2 + +DESCRIPTION=3D"SELinux policy for general applications" + +DEPEND=3D">=3Dsec-policy/selinux-base-policy-2.20101213-r20" +RDEPEND=3D"${DEPEND}" + +KEYWORDS=3D"~amd64 ~x86" + +POLICY_PATCH=3D"${FILESDIR}/fix-services-puppet-r2.patch"