]>
Commit | Line | Data |
---|---|---|
e6d8fd1e | 1 | policy_module(puppet, 1.0.0) |
e8779130 CG |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
18f2a72d DG |
9 | ## <p> |
10 | ## Allow Puppet client to manage all file | |
11 | ## types. | |
12 | ## </p> | |
e8779130 CG |
13 | ## </desc> |
14 | gen_tunable(puppet_manage_all_files, false) | |
15 | ||
0cc202b2 MG |
16 | ## <desc> |
17 | ## <p> | |
a961536a | 18 | ## Allow Puppet master to use connect to MySQL and PostgreSQL database |
0cc202b2 MG |
19 | ## </p> |
20 | ## </desc> | |
21 | gen_tunable(puppetmaster_use_db, false) | |
22 | ||
e8779130 CG |
23 | type puppet_t; |
24 | type puppet_exec_t; | |
25 | init_daemon_domain(puppet_t, puppet_exec_t) | |
26 | ||
e6d8fd1e CP |
27 | type puppet_etc_t; |
28 | files_config_file(puppet_etc_t) | |
29 | ||
e8779130 | 30 | type puppet_initrc_exec_t; |
e6d8fd1e | 31 | init_script_file(puppet_initrc_exec_t) |
e8779130 CG |
32 | |
33 | type puppet_log_t; | |
34 | logging_log_file(puppet_log_t) | |
35 | ||
e6d8fd1e CP |
36 | type puppet_tmp_t; |
37 | files_tmp_file(puppet_tmp_t) | |
38 | ||
e8779130 CG |
39 | type puppet_var_lib_t; |
40 | files_type(puppet_var_lib_t) | |
41 | ||
42 | type puppet_var_run_t; | |
43 | files_pid_file(puppet_var_run_t) | |
44 | ||
51b8b4c0 DW |
45 | type puppetca_t; |
46 | type puppetca_exec_t; | |
47 | application_domain(puppetca_t, puppetca_exec_t) | |
48 | role system_r types puppetca_t; | |
49 | ||
e8779130 CG |
50 | type puppetmaster_t; |
51 | type puppetmaster_exec_t; | |
52 | init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) | |
53 | ||
e6d8fd1e CP |
54 | type puppetmaster_initrc_exec_t; |
55 | init_script_file(puppetmaster_initrc_exec_t) | |
e8779130 CG |
56 | |
57 | type puppetmaster_tmp_t; | |
58 | files_tmp_file(puppetmaster_tmp_t) | |
59 | ||
60 | ######################################## | |
61 | # | |
62 | # Puppet personal policy | |
63 | # | |
64 | ||
995bdbb1 | 65 | allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; |
e6d8fd1e | 66 | allow puppet_t self:process { signal signull getsched setsched }; |
e8779130 CG |
67 | allow puppet_t self:fifo_file rw_fifo_file_perms; |
68 | allow puppet_t self:netlink_route_socket create_netlink_socket_perms; | |
e8779130 CG |
69 | allow puppet_t self:tcp_socket create_stream_socket_perms; |
70 | allow puppet_t self:udp_socket create_socket_perms; | |
71 | ||
e8779130 CG |
72 | read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) |
73 | ||
e6d8fd1e | 74 | manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) |
e8779130 | 75 | manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) |
e6d8fd1e | 76 | files_search_var_lib(puppet_t) |
e8779130 | 77 | |
3eaa9939 | 78 | manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) |
e8779130 CG |
79 | manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) |
80 | files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) | |
81 | ||
82 | create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) | |
83 | create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) | |
84 | append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) | |
85 | logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) | |
86 | ||
87 | manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) | |
88 | manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) | |
89 | files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) | |
90 | ||
e6d8fd1e CP |
91 | kernel_dontaudit_search_sysctl(puppet_t) |
92 | kernel_dontaudit_search_kernel_sysctl(puppet_t) | |
93 | kernel_read_system_state(puppet_t) | |
94 | kernel_read_crypto_sysctls(puppet_t) | |
911d3ea7 | 95 | kernel_read_kernel_sysctls(puppet_t) |
e6d8fd1e | 96 | |
911d3ea7 DW |
97 | corecmd_read_all_executables(puppet_t) |
98 | corecmd_dontaudit_access_all_executables(puppet_t) | |
e6d8fd1e CP |
99 | corecmd_exec_bin(puppet_t) |
100 | corecmd_exec_shell(puppet_t) | |
e8779130 CG |
101 | |
102 | corenet_all_recvfrom_netlabel(puppet_t) | |
103 | corenet_all_recvfrom_unlabeled(puppet_t) | |
e8779130 CG |
104 | corenet_tcp_sendrecv_generic_if(puppet_t) |
105 | corenet_tcp_sendrecv_generic_node(puppet_t) | |
e8779130 | 106 | corenet_tcp_bind_generic_node(puppet_t) |
e6d8fd1e CP |
107 | corenet_tcp_connect_puppet_port(puppet_t) |
108 | corenet_sendrecv_puppet_client_packets(puppet_t) | |
e8779130 CG |
109 | |
110 | dev_read_rand(puppet_t) | |
111 | dev_read_sysfs(puppet_t) | |
112 | dev_read_urand(puppet_t) | |
113 | ||
114 | domain_read_all_domains_state(puppet_t) | |
115 | domain_interactive_fd(puppet_t) | |
116 | ||
117 | files_manage_config_files(puppet_t) | |
118 | files_manage_config_dirs(puppet_t) | |
119 | files_manage_etc_dirs(puppet_t) | |
120 | files_manage_etc_files(puppet_t) | |
911d3ea7 | 121 | files_read_usr_files(puppet_t) |
e8779130 CG |
122 | files_read_usr_symlinks(puppet_t) |
123 | files_relabel_config_dirs(puppet_t) | |
124 | files_relabel_config_files(puppet_t) | |
e6d8fd1e CP |
125 | |
126 | selinux_search_fs(puppet_t) | |
127 | selinux_set_all_booleans(puppet_t) | |
128 | selinux_set_generic_booleans(puppet_t) | |
129 | selinux_validate_context(puppet_t) | |
130 | ||
131 | term_dontaudit_getattr_unallocated_ttys(puppet_t) | |
c3c753f7 | 132 | term_dontaudit_getattr_all_ttys(puppet_t) |
e8779130 | 133 | |
911d3ea7 DW |
134 | auth_use_nsswitch(puppet_t) |
135 | auth_read_passwd(puppet_t) | |
136 | ||
e8779130 CG |
137 | init_all_labeled_script_domtrans(puppet_t) |
138 | init_domtrans_script(puppet_t) | |
139 | init_read_utmp(puppet_t) | |
140 | init_signull_script(puppet_t) | |
141 | ||
e8779130 CG |
142 | logging_send_syslog_msg(puppet_t) |
143 | ||
144 | miscfiles_read_hwdata(puppet_t) | |
145 | miscfiles_read_localization(puppet_t) | |
146 | ||
e8779130 CG |
147 | seutil_domtrans_setfiles(puppet_t) |
148 | seutil_domtrans_semanage(puppet_t) | |
911d3ea7 | 149 | seutil_read_file_contexts(puppet_t) |
e8779130 CG |
150 | |
151 | sysnet_dns_name_resolve(puppet_t) | |
152 | sysnet_run_ifconfig(puppet_t, system_r) | |
153 | ||
e8779130 | 154 | tunable_policy(`puppet_manage_all_files',` |
d500db40 | 155 | files_manage_non_security_files(puppet_t) |
e8779130 CG |
156 | ') |
157 | ||
911d3ea7 DW |
158 | optional_policy(` |
159 | cfengine_read_lib_files(puppet_t) | |
160 | ') | |
161 | ||
e8779130 | 162 | optional_policy(` |
e200bcc0 | 163 | consoletype_exec(puppet_t) |
e8779130 CG |
164 | ') |
165 | ||
166 | optional_policy(` | |
167 | hostname_exec(puppet_t) | |
168 | ') | |
169 | ||
72f28cc1 DW |
170 | optional_policy(` |
171 | mount_domtrans(puppet_t) | |
172 | ') | |
173 | ||
911d3ea7 DW |
174 | optional_policy(` |
175 | mta_send_mail(puppet_t) | |
176 | ') | |
177 | ||
e8779130 CG |
178 | optional_policy(` |
179 | files_rw_var_files(puppet_t) | |
e8779130 CG |
180 | |
181 | rpm_domtrans(puppet_t) | |
182 | rpm_manage_db(puppet_t) | |
183 | rpm_manage_log(puppet_t) | |
184 | ') | |
185 | ||
186 | optional_policy(` | |
187 | unconfined_domain(puppet_t) | |
188 | ') | |
189 | ||
190 | optional_policy(` | |
2fb1144a MG |
191 | usermanage_access_check_groupadd(puppet_t) |
192 | usermanage_access_check_passwd(puppet_t) | |
193 | usermanage_access_check_useradd(puppet_t) | |
e8779130 CG |
194 | ') |
195 | ||
3b77eb09 DW |
196 | optional_policy(` |
197 | auth_filetrans_named_content(puppet_t) | |
198 | ') | |
199 | ||
200 | optional_policy(` | |
201 | alsa_filetrans_named_content(puppet_t) | |
202 | ') | |
203 | ||
204 | optional_policy(` | |
205 | bootloader_filetrans_config(puppet_t) | |
206 | ') | |
207 | ||
208 | optional_policy(` | |
209 | devicekit_filetrans_named_content(puppet_t) | |
210 | ') | |
211 | ||
212 | optional_policy(` | |
213 | dnsmasq_filetrans_named_content(puppet_t) | |
214 | ') | |
215 | ||
216 | optional_policy(` | |
217 | kerberos_filetrans_named_content(puppet_t) | |
218 | ') | |
219 | ||
220 | optional_policy(` | |
221 | libs_filetrans_named_content(puppet_t) | |
222 | ') | |
223 | ||
224 | optional_policy(` | |
225 | miscfiles_filetrans_named_content(puppet_t) | |
226 | ') | |
227 | ||
228 | optional_policy(` | |
229 | mta_filetrans_named_content(puppet_t) | |
230 | ') | |
231 | ||
232 | optional_policy(` | |
233 | modules_filetrans_named_content(puppet_t) | |
234 | ') | |
235 | ||
236 | optional_policy(` | |
237 | networkmanager_filetrans_named_content(puppet_t) | |
238 | ') | |
239 | ||
240 | optional_policy(` | |
241 | nx_filetrans_named_content(puppet_t) | |
242 | ') | |
243 | ||
244 | optional_policy(` | |
245 | postfix_filetrans_named_content(puppet_t) | |
246 | ') | |
247 | ||
248 | optional_policy(` | |
249 | quota_filetrans_named_content(puppet_t) | |
250 | ') | |
251 | ||
252 | optional_policy(` | |
253 | sysnet_filetrans_named_content(puppet_t) | |
254 | ') | |
255 | ||
256 | optional_policy(` | |
257 | virt_filetrans_home_content(puppet_t) | |
258 | ') | |
259 | ||
260 | optional_policy(` | |
261 | ssh_filetrans_admin_home_content(puppet_t) | |
262 | ') | |
263 | ||
51b8b4c0 DW |
264 | ######################################## |
265 | # | |
266 | # PuppetCA personal policy | |
267 | # | |
268 | ||
269 | allow puppetca_t self:capability { dac_override setgid setuid }; | |
270 | allow puppetca_t self:fifo_file rw_fifo_file_perms; | |
271 | ||
272 | read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) | |
273 | ||
274 | allow puppetca_t puppet_var_lib_t:dir list_dir_perms; | |
275 | manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) | |
276 | manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) | |
277 | ||
278 | allow puppetca_t puppet_log_t:dir search_dir_perms; | |
279 | ||
280 | allow puppetca_t puppet_var_run_t:dir search_dir_perms; | |
281 | ||
282 | kernel_read_system_state(puppetca_t) | |
283 | # Maybe dontaudit this like we did with other puppet domains? | |
284 | kernel_read_kernel_sysctls(puppetca_t) | |
285 | ||
286 | corecmd_exec_bin(puppetca_t) | |
287 | corecmd_exec_shell(puppetca_t) | |
288 | ||
289 | dev_read_urand(puppetca_t) | |
290 | dev_search_sysfs(puppetca_t) | |
291 | ||
292 | files_read_etc_files(puppetca_t) | |
293 | files_search_var_lib(puppetca_t) | |
294 | ||
295 | selinux_validate_context(puppetca_t) | |
296 | ||
297 | logging_search_logs(puppetca_t) | |
298 | ||
299 | miscfiles_read_localization(puppetca_t) | |
300 | miscfiles_read_generic_certs(puppetca_t) | |
301 | ||
302 | seutil_read_file_contexts(puppetca_t) | |
303 | ||
304 | optional_policy(` | |
305 | hostname_exec(puppetca_t) | |
306 | ') | |
307 | ||
308 | optional_policy(` | |
309 | mta_sendmail_access_check(puppetca_t) | |
310 | ') | |
311 | ||
312 | optional_policy(` | |
6e4e4f69 MG |
313 | usermanage_access_check_groupadd(puppet_t) |
314 | usermanage_access_check_passwd(puppet_t) | |
315 | usermanage_access_check_useradd(puppet_t) | |
51b8b4c0 DW |
316 | ') |
317 | ||
e8779130 CG |
318 | ######################################## |
319 | # | |
7933b71c | 320 | # Puppet master personal policy |
e8779130 CG |
321 | # |
322 | ||
323 | allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; | |
e8779130 | 324 | allow puppetmaster_t self:process { signal_perms getsched setsched }; |
e6d8fd1e CP |
325 | allow puppetmaster_t self:fifo_file rw_fifo_file_perms; |
326 | allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; | |
e8779130 CG |
327 | allow puppetmaster_t self:socket create; |
328 | allow puppetmaster_t self:tcp_socket create_stream_socket_perms; | |
e8779130 CG |
329 | |
330 | list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) | |
331 | read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) | |
332 | ||
0f7c4002 DG |
333 | allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; |
334 | allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; | |
e6d8fd1e | 335 | logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) |
83029ff3 | 336 | allow puppetmaster_t puppet_log_t:file relabel_file_perms; |
e6d8fd1e CP |
337 | |
338 | manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) | |
e8779130 | 339 | manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) |
83029ff3 | 340 | allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; |
131bfd09 | 341 | allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; |
e8779130 CG |
342 | |
343 | setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) | |
6727af96 | 344 | create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) |
e8779130 CG |
345 | manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) |
346 | files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) | |
83029ff3 | 347 | allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; |
e8779130 | 348 | |
e8779130 CG |
349 | manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) |
350 | manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) | |
351 | files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) | |
83029ff3 | 352 | allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; |
e8779130 | 353 | |
e6d8fd1e | 354 | kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) |
0ab814bf | 355 | kernel_read_network_state(puppetmaster_t) |
e6d8fd1e CP |
356 | kernel_read_system_state(puppetmaster_t) |
357 | kernel_read_crypto_sysctls(puppetmaster_t) | |
3eaa9939 | 358 | kernel_read_kernel_sysctls(puppetmaster_t) |
e6d8fd1e CP |
359 | |
360 | corecmd_exec_bin(puppetmaster_t) | |
361 | corecmd_exec_shell(puppetmaster_t) | |
e8779130 CG |
362 | |
363 | corenet_all_recvfrom_netlabel(puppetmaster_t) | |
364 | corenet_all_recvfrom_unlabeled(puppetmaster_t) | |
e8779130 CG |
365 | corenet_tcp_sendrecv_generic_if(puppetmaster_t) |
366 | corenet_tcp_sendrecv_generic_node(puppetmaster_t) | |
e8779130 | 367 | corenet_tcp_bind_generic_node(puppetmaster_t) |
e6d8fd1e CP |
368 | corenet_tcp_bind_puppet_port(puppetmaster_t) |
369 | corenet_sendrecv_puppet_server_packets(puppetmaster_t) | |
e8779130 | 370 | |
51b8b4c0 DW |
371 | # This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. |
372 | corenet_udp_bind_generic_node(puppetmaster_t) | |
373 | corenet_udp_bind_generic_port(puppetmaster_t) | |
374 | ||
e8779130 CG |
375 | dev_read_rand(puppetmaster_t) |
376 | dev_read_urand(puppetmaster_t) | |
fcafda3a | 377 | dev_search_sysfs(puppetmaster_t) |
e8779130 CG |
378 | |
379 | domain_read_all_domains_state(puppetmaster_t) | |
01f4082a | 380 | domain_obj_id_change_exemption(puppetmaster_t) |
e8779130 | 381 | |
cca142fc | 382 | files_read_usr_files(puppetmaster_t) |
e8779130 | 383 | |
3eaa9939 DW |
384 | selinux_validate_context(puppetmaster_t) |
385 | ||
8bb61f57 DG |
386 | auth_use_nsswitch(puppetmaster_t) |
387 | ||
e8779130 CG |
388 | logging_send_syslog_msg(puppetmaster_t) |
389 | ||
390 | miscfiles_read_localization(puppetmaster_t) | |
09244616 | 391 | miscfiles_read_generic_certs(puppetmaster_t) |
e8779130 | 392 | |
3eaa9939 DW |
393 | seutil_read_file_contexts(puppetmaster_t) |
394 | ||
e8779130 CG |
395 | sysnet_run_ifconfig(puppetmaster_t, system_r) |
396 | ||
3eaa9939 DW |
397 | mta_send_mail(puppetmaster_t) |
398 | ||
0cc202b2 | 399 | optional_policy(` |
51b8b4c0 DW |
400 | tunable_policy(`puppetmaster_use_db',` |
401 | mysql_stream_connect(puppetmaster_t) | |
402 | ') | |
0cc202b2 MG |
403 | ') |
404 | ||
405 | optional_policy(` | |
51b8b4c0 DW |
406 | tunable_policy(`puppetmaster_use_db',` |
407 | postgresql_stream_connect(puppetmaster_t) | |
408 | ') | |
0cc202b2 MG |
409 | ') |
410 | ||
e8779130 CG |
411 | optional_policy(` |
412 | hostname_exec(puppetmaster_t) | |
413 | ') | |
414 | ||
415 | optional_policy(` | |
416 | files_read_usr_symlinks(puppetmaster_t) | |
417 | ||
418 | rpm_exec(puppetmaster_t) | |
419 | rpm_read_db(puppetmaster_t) | |
420 | ') | |
f9bbd9cf DW |
421 | |
422 | optional_policy(` | |
884c081a DG |
423 | usermanage_access_check_groupadd(puppetmaster_t) |
424 | usermanage_access_check_passwd(puppetmaster_t) | |
425 | usermanage_access_check_useradd(puppetmaster_t) | |
f9bbd9cf | 426 | ') |