* [gentoo-hardened] selinux puppet update for 2.6.8
@ 2011-07-10 21:49 Matthew Thode
2011-07-11 12:17 ` Sven Vermeulen
0 siblings, 1 reply; 3+ messages in thread
From: Matthew Thode @ 2011-07-10 21:49 UTC (permalink / raw
To: gentoo-hardened@lists.gentoo.org
[-- Attachment #1: Type: text/plain, Size: 941 bytes --]
First, puppet and puppetmaster are both in /usr/bin not /usr/sbin anymore
And here is what I needed to add to the policy.
module puppetlocal 1.0;
require {
type sendmail_exec_t;
type puppet_t;
type proc_net_t;
type mount_exec_t;
type portage_exec_t;
type passwd_exec_t;
type initrc_notrans_exec_t;
class capability dac_read_search;
class dir search;
class file { execute read open getattr execute_no_trans };
}
#============= puppet_t ==============
allow puppet_t initrc_notrans_exec_t:file execute;
allow puppet_t mount_exec_t:file { execute execute_no_trans };
allow puppet_t passwd_exec_t:file execute;
allow puppet_t portage_exec_t:file execute;
allow puppet_t proc_net_t:dir search;
allow puppet_t proc_net_t:file { read getattr open };
allow puppet_t self:capability dac_read_search;
allow puppet_t sendmail_exec_t:file execute;
-- Matthew Thode
[-- Attachment #2: Type: text/html, Size: 2446 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] selinux puppet update for 2.6.8
2011-07-10 21:49 [gentoo-hardened] selinux puppet update for 2.6.8 Matthew Thode
@ 2011-07-11 12:17 ` Sven Vermeulen
2011-07-11 13:25 ` Matthew Thode
0 siblings, 1 reply; 3+ messages in thread
From: Sven Vermeulen @ 2011-07-11 12:17 UTC (permalink / raw
To: gentoo-hardened
On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
> #============= puppet_t ==============
> allow puppet_t initrc_notrans_exec_t:file execute;
> allow puppet_t self:capability dac_read_search;
These two I find a bit strange. When do you encounter the need for
initrc_notrans_exec_t execute rights? I guess you're running rc-status or
rc-update at that point? I can have it work using a puppet_t ->
puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t)
but this is not something you can do with audit2allow, so if the above was
sufficient to make things work...
Also, the dac_read_search capability is something that allows a root user to
read/search files, even if the owner of those files isn't root. In regular
DAC, this is "normal" (root can do everything) but not always necessary. If
you do not allow this, what happens then?
My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
want to test things out, you can subscribe to the overlay or put the
necessary files in your own.
[1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] selinux puppet update for 2.6.8
2011-07-11 12:17 ` Sven Vermeulen
@ 2011-07-11 13:25 ` Matthew Thode
0 siblings, 0 replies; 3+ messages in thread
From: Matthew Thode @ 2011-07-11 13:25 UTC (permalink / raw
To: gentoo-hardened
You can use puppet to manage services (make sure they are running and in
the proper runlevel). What I emailed you worked for me.
exec_no_trans is required for rc-update
type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans }
for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033
scontext=system_u:system_r:puppet_t
tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file
I don't see selinux-puppet-2.20101213-r1 in the overlay.
-- Matthew Thode
On 7/11/11 7:17 AM, "Sven Vermeulen" <sven.vermeulen@siphos.be> wrote:
>On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
>> #============= puppet_t ==============
>> allow puppet_t initrc_notrans_exec_t:file execute;
>> allow puppet_t self:capability dac_read_search;
>
>These two I find a bit strange. When do you encounter the need for
>initrc_notrans_exec_t execute rights? I guess you're running rc-status or
>rc-update at that point? I can have it work using a puppet_t ->
>puppet_initrc_notrans_t -> puppet_t transition set (like we do for
>sysadm_t)
>but this is not something you can do with audit2allow, so if the above was
>sufficient to make things work...
>
>Also, the dac_read_search capability is something that allows a root user
>to
>read/search files, even if the owner of those files isn't root. In regular
>DAC, this is "normal" (root can do everything) but not always necessary.
>If
>you do not allow this, what happens then?
>
>My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
>want to test things out, you can subscribe to the overlay or put the
>necessary files in your own.
>
>[1]
>https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6
>285189a1d9fa27/sec-policy/selinux-puppet
>
>Wkr,
> Sven Vermeulen
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-07-11 14:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-10 21:49 [gentoo-hardened] selinux puppet update for 2.6.8 Matthew Thode
2011-07-11 12:17 ` Sven Vermeulen
2011-07-11 13:25 ` Matthew Thode
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox