[people/stevee/selinux-policy.git] / policy / modules / services / puppet.te

policy_module(puppet, 1.0.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow Puppet client to manage all file
##	types.
##	</p>
## </desc>
gen_tunable(puppet_manage_all_files, false)

## <desc>
## <p>
## Allow Puppet master to use connect to MySQL and PostgreSQL database
## </p>
## </desc>
gen_tunable(puppetmaster_use_db, false)

type puppet_t;
type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t)

type puppet_etc_t;
files_config_file(puppet_etc_t)

type puppet_initrc_exec_t;
init_script_file(puppet_initrc_exec_t)

type puppet_log_t;
logging_log_file(puppet_log_t)

type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)

type puppet_var_lib_t;
files_type(puppet_var_lib_t)

type puppet_var_run_t;
files_pid_file(puppet_var_run_t)

type puppetca_t;
type puppetca_exec_t;
application_domain(puppetca_t, puppetca_exec_t)
role system_r types puppetca_t;

type puppetmaster_t;
type puppetmaster_exec_t;
init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)

type puppetmaster_initrc_exec_t;
init_script_file(puppetmaster_initrc_exec_t)

type puppetmaster_tmp_t;
files_tmp_file(puppetmaster_tmp_t)

########################################
#
# Puppet personal policy
#

allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:tcp_socket create_stream_socket_perms;
allow puppet_t self:udp_socket create_socket_perms;

read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)

manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
files_search_var_lib(puppet_t)

manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })

create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })

manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })

kernel_dontaudit_search_sysctl(puppet_t)
kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
kernel_read_kernel_sysctls(puppet_t)

corecmd_read_all_executables(puppet_t)
corecmd_dontaudit_access_all_executables(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)

corenet_all_recvfrom_netlabel(puppet_t)
corenet_all_recvfrom_unlabeled(puppet_t)
corenet_tcp_sendrecv_generic_if(puppet_t)
corenet_tcp_sendrecv_generic_node(puppet_t)
corenet_tcp_bind_generic_node(puppet_t)
corenet_tcp_connect_puppet_port(puppet_t)
corenet_sendrecv_puppet_client_packets(puppet_t)

dev_read_rand(puppet_t)
dev_read_sysfs(puppet_t)
dev_read_urand(puppet_t)

domain_read_all_domains_state(puppet_t)
domain_interactive_fd(puppet_t)

files_manage_config_files(puppet_t)
files_manage_config_dirs(puppet_t)
files_manage_etc_dirs(puppet_t)
files_manage_etc_files(puppet_t)
files_read_usr_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)

selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
selinux_validate_context(puppet_t)

term_dontaudit_getattr_unallocated_ttys(puppet_t)
term_dontaudit_getattr_all_ttys(puppet_t)

auth_use_nsswitch(puppet_t)
auth_read_passwd(puppet_t)

init_all_labeled_script_domtrans(puppet_t)
init_domtrans_script(puppet_t)
init_read_utmp(puppet_t)
init_signull_script(puppet_t)

logging_send_syslog_msg(puppet_t)

miscfiles_read_hwdata(puppet_t)
miscfiles_read_localization(puppet_t)

seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
seutil_read_file_contexts(puppet_t)

sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)

tunable_policy(`puppet_manage_all_files',`
	files_manage_non_security_files(puppet_t)
')

optional_policy(`
	cfengine_read_lib_files(puppet_t)
')

optional_policy(`
	consoletype_exec(puppet_t)
')

optional_policy(`
	hostname_exec(puppet_t)
')

optional_policy(`
	mount_domtrans(puppet_t)
')

optional_policy(`
	mta_send_mail(puppet_t)
')

optional_policy(`
	files_rw_var_files(puppet_t)

	rpm_domtrans(puppet_t)
	rpm_manage_db(puppet_t)
	rpm_manage_log(puppet_t)
')

optional_policy(`
	unconfined_domain(puppet_t)
')

optional_policy(`
    usermanage_access_check_groupadd(puppet_t)
    usermanage_access_check_passwd(puppet_t)
    usermanage_access_check_useradd(puppet_t)
')

optional_policy(`
	auth_filetrans_named_content(puppet_t)
')

optional_policy(`
	alsa_filetrans_named_content(puppet_t)
')

optional_policy(`
	bootloader_filetrans_config(puppet_t)
')

optional_policy(`
	devicekit_filetrans_named_content(puppet_t)
')

optional_policy(`
	dnsmasq_filetrans_named_content(puppet_t)
')

optional_policy(`
	kerberos_filetrans_named_content(puppet_t)
')

optional_policy(`
	libs_filetrans_named_content(puppet_t)
')

optional_policy(`
	miscfiles_filetrans_named_content(puppet_t)
')

optional_policy(`
	mta_filetrans_named_content(puppet_t)
')

optional_policy(`
	modules_filetrans_named_content(puppet_t)
')

optional_policy(`
	networkmanager_filetrans_named_content(puppet_t)
')

optional_policy(`
	nx_filetrans_named_content(puppet_t)
')

optional_policy(`
	postfix_filetrans_named_content(puppet_t)
')

optional_policy(`
	quota_filetrans_named_content(puppet_t)
')

optional_policy(`
	sysnet_filetrans_named_content(puppet_t)
')

optional_policy(`
	virt_filetrans_home_content(puppet_t)
')

optional_policy(`
	ssh_filetrans_admin_home_content(puppet_t)
')

########################################
#
# PuppetCA personal policy
#

allow puppetca_t self:capability { dac_override setgid setuid };
allow puppetca_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)

allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)

allow puppetca_t puppet_log_t:dir search_dir_perms;

allow puppetca_t puppet_var_run_t:dir search_dir_perms;

kernel_read_system_state(puppetca_t)
# Maybe dontaudit this like we did with other puppet domains?
kernel_read_kernel_sysctls(puppetca_t)

corecmd_exec_bin(puppetca_t)
corecmd_exec_shell(puppetca_t)

dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)

files_read_etc_files(puppetca_t)
files_search_var_lib(puppetca_t)

selinux_validate_context(puppetca_t)

logging_search_logs(puppetca_t)

miscfiles_read_localization(puppetca_t)
miscfiles_read_generic_certs(puppetca_t)

seutil_read_file_contexts(puppetca_t)

optional_policy(`
	hostname_exec(puppetca_t)
')

optional_policy(`
	mta_sendmail_access_check(puppetca_t)
')

optional_policy(`
    usermanage_access_check_groupadd(puppet_t)
    usermanage_access_check_passwd(puppet_t)
    usermanage_access_check_useradd(puppet_t)
')

########################################
#
# Puppet master personal policy
#

allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;

list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)

allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
allow puppetmaster_t puppet_log_t:file relabel_file_perms;

manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;

setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;

manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;

kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
kernel_read_kernel_sysctls(puppetmaster_t)

corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)

corenet_all_recvfrom_netlabel(puppetmaster_t)
corenet_all_recvfrom_unlabeled(puppetmaster_t)
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)

# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
corenet_udp_bind_generic_node(puppetmaster_t)
corenet_udp_bind_generic_port(puppetmaster_t)

dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
dev_search_sysfs(puppetmaster_t)

domain_read_all_domains_state(puppetmaster_t)
domain_obj_id_change_exemption(puppetmaster_t)

files_read_usr_files(puppetmaster_t)

selinux_validate_context(puppetmaster_t)

auth_use_nsswitch(puppetmaster_t)

logging_send_syslog_msg(puppetmaster_t)

miscfiles_read_localization(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)

seutil_read_file_contexts(puppetmaster_t)

sysnet_run_ifconfig(puppetmaster_t, system_r)

mta_send_mail(puppetmaster_t)

optional_policy(`
	tunable_policy(`puppetmaster_use_db',`
		mysql_stream_connect(puppetmaster_t)
	')
')

optional_policy(`
	tunable_policy(`puppetmaster_use_db',`
		postgresql_stream_connect(puppetmaster_t)
	')
')

optional_policy(`
	hostname_exec(puppetmaster_t)
')

optional_policy(`
	files_read_usr_symlinks(puppetmaster_t)

	rpm_exec(puppetmaster_t)
	rpm_read_db(puppetmaster_t)
')

optional_policy(`
	usermanage_access_check_groupadd(puppetmaster_t)
	usermanage_access_check_passwd(puppetmaster_t)
	usermanage_access_check_useradd(puppetmaster_t)
')
Commit	Line	Data
e6d8fd1e	1	policy_module(puppet, 1.0.0)
e8779130 CG	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
18f2a72d DG	9	## <p>
	10	## Allow Puppet client to manage all file
	11	## types.
	12	## </p>
e8779130 CG	13	## </desc>
	14	gen_tunable(puppet_manage_all_files, false)
	15
0cc202b2 MG	16	## <desc>
0cc202b2 MG	17	## <p>
a961536a	18	## Allow Puppet master to use connect to MySQL and PostgreSQL database
0cc202b2 MG	19	## </p>
	20	## </desc>
	21	gen_tunable(puppetmaster_use_db, false)
	22
e8779130 CG	23	type puppet_t;
	24	type puppet_exec_t;
	25	init_daemon_domain(puppet_t, puppet_exec_t)
	26
e6d8fd1e CP	27	type puppet_etc_t;
	28	files_config_file(puppet_etc_t)
	29
e8779130	30	type puppet_initrc_exec_t;
e6d8fd1e	31	init_script_file(puppet_initrc_exec_t)
e8779130 CG	32
	33	type puppet_log_t;
	34	logging_log_file(puppet_log_t)
	35
e6d8fd1e CP	36	type puppet_tmp_t;
	37	files_tmp_file(puppet_tmp_t)
	38
e8779130 CG	39	type puppet_var_lib_t;
	40	files_type(puppet_var_lib_t)
	41
	42	type puppet_var_run_t;
	43	files_pid_file(puppet_var_run_t)
	44
51b8b4c0 DW	45	type puppetca_t;
	46	type puppetca_exec_t;
	47	application_domain(puppetca_t, puppetca_exec_t)
	48	role system_r types puppetca_t;
	49
e8779130 CG	50	type puppetmaster_t;
	51	type puppetmaster_exec_t;
	52	init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
	53
e6d8fd1e CP	54	type puppetmaster_initrc_exec_t;
e6d8fd1e CP	55	init_script_file(puppetmaster_initrc_exec_t)
e8779130 CG	56
	57	type puppetmaster_tmp_t;
	58	files_tmp_file(puppetmaster_tmp_t)
	59
	60	########################################
	61	#
	62	# Puppet personal policy
	63	#
	64
995bdbb1	65	allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
e6d8fd1e	66	allow puppet_t self:process { signal signull getsched setsched };
e8779130 CG	67	allow puppet_t self:fifo_file rw_fifo_file_perms;
e8779130 CG	68	allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
e8779130 CG	69	allow puppet_t self:tcp_socket create_stream_socket_perms;
	70	allow puppet_t self:udp_socket create_socket_perms;
	71
e8779130 CG	72	read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
e8779130 CG	73
e6d8fd1e	74	manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
e8779130	75	manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
e6d8fd1e	76	files_search_var_lib(puppet_t)
e8779130	77
3eaa9939	78	manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
e8779130 CG	79	manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
	80	files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
	81
	82	create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
	83	create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
	84	append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
	85	logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
	86
	87	manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
	88	manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
	89	files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
	90
e6d8fd1e CP	91	kernel_dontaudit_search_sysctl(puppet_t)
	92	kernel_dontaudit_search_kernel_sysctl(puppet_t)
	93	kernel_read_system_state(puppet_t)
	94	kernel_read_crypto_sysctls(puppet_t)
911d3ea7	95	kernel_read_kernel_sysctls(puppet_t)
e6d8fd1e	96
911d3ea7 DW	97	corecmd_read_all_executables(puppet_t)
911d3ea7 DW	98	corecmd_dontaudit_access_all_executables(puppet_t)
e6d8fd1e CP	99	corecmd_exec_bin(puppet_t)
e6d8fd1e CP	100	corecmd_exec_shell(puppet_t)
e8779130 CG	101
	102	corenet_all_recvfrom_netlabel(puppet_t)
	103	corenet_all_recvfrom_unlabeled(puppet_t)
e8779130 CG	104	corenet_tcp_sendrecv_generic_if(puppet_t)
e8779130 CG	105	corenet_tcp_sendrecv_generic_node(puppet_t)
e8779130	106	corenet_tcp_bind_generic_node(puppet_t)
e6d8fd1e CP	107	corenet_tcp_connect_puppet_port(puppet_t)
e6d8fd1e CP	108	corenet_sendrecv_puppet_client_packets(puppet_t)
e8779130 CG	109
	110	dev_read_rand(puppet_t)
	111	dev_read_sysfs(puppet_t)
	112	dev_read_urand(puppet_t)
	113
	114	domain_read_all_domains_state(puppet_t)
	115	domain_interactive_fd(puppet_t)
	116
	117	files_manage_config_files(puppet_t)
	118	files_manage_config_dirs(puppet_t)
	119	files_manage_etc_dirs(puppet_t)
	120	files_manage_etc_files(puppet_t)
911d3ea7	121	files_read_usr_files(puppet_t)
e8779130 CG	122	files_read_usr_symlinks(puppet_t)
	123	files_relabel_config_dirs(puppet_t)
	124	files_relabel_config_files(puppet_t)
e6d8fd1e CP	125
	126	selinux_search_fs(puppet_t)
	127	selinux_set_all_booleans(puppet_t)
	128	selinux_set_generic_booleans(puppet_t)
	129	selinux_validate_context(puppet_t)
	130
	131	term_dontaudit_getattr_unallocated_ttys(puppet_t)
c3c753f7	132	term_dontaudit_getattr_all_ttys(puppet_t)
e8779130	133
911d3ea7 DW	134	auth_use_nsswitch(puppet_t)
	135	auth_read_passwd(puppet_t)
	136
e8779130 CG	137	init_all_labeled_script_domtrans(puppet_t)
	138	init_domtrans_script(puppet_t)
	139	init_read_utmp(puppet_t)
	140	init_signull_script(puppet_t)
	141
e8779130 CG	142	logging_send_syslog_msg(puppet_t)
	143
	144	miscfiles_read_hwdata(puppet_t)
	145	miscfiles_read_localization(puppet_t)
	146
e8779130 CG	147	seutil_domtrans_setfiles(puppet_t)
e8779130 CG	148	seutil_domtrans_semanage(puppet_t)
911d3ea7	149	seutil_read_file_contexts(puppet_t)
e8779130 CG	150
	151	sysnet_dns_name_resolve(puppet_t)
	152	sysnet_run_ifconfig(puppet_t, system_r)
	153
e8779130	154	tunable_policy(`puppet_manage_all_files',`
d500db40	155	files_manage_non_security_files(puppet_t)
e8779130 CG	156	')
e8779130 CG	157
911d3ea7 DW	158	optional_policy(`
	159	cfengine_read_lib_files(puppet_t)
	160	')
	161
e8779130	162	optional_policy(`
e200bcc0	163	consoletype_exec(puppet_t)
e8779130 CG	164	')
	165
	166	optional_policy(`
	167	hostname_exec(puppet_t)
	168	')
	169
72f28cc1 DW	170	optional_policy(`
	171	mount_domtrans(puppet_t)
	172	')
	173
911d3ea7 DW	174	optional_policy(`
	175	mta_send_mail(puppet_t)
	176	')
	177
e8779130 CG	178	optional_policy(`
e8779130 CG	179	files_rw_var_files(puppet_t)
e8779130 CG	180
	181	rpm_domtrans(puppet_t)
	182	rpm_manage_db(puppet_t)
	183	rpm_manage_log(puppet_t)
	184	')
	185
	186	optional_policy(`
	187	unconfined_domain(puppet_t)
	188	')
	189
	190	optional_policy(`
2fb1144a MG	191	usermanage_access_check_groupadd(puppet_t)
	192	usermanage_access_check_passwd(puppet_t)
	193	usermanage_access_check_useradd(puppet_t)
e8779130 CG	194	')
e8779130 CG	195
3b77eb09 DW	196	optional_policy(`
	197	auth_filetrans_named_content(puppet_t)
	198	')
	199
	200	optional_policy(`
	201	alsa_filetrans_named_content(puppet_t)
	202	')
	203
	204	optional_policy(`
	205	bootloader_filetrans_config(puppet_t)
	206	')
	207
	208	optional_policy(`
	209	devicekit_filetrans_named_content(puppet_t)
	210	')
	211
	212	optional_policy(`
	213	dnsmasq_filetrans_named_content(puppet_t)
	214	')
	215
	216	optional_policy(`
	217	kerberos_filetrans_named_content(puppet_t)
	218	')
	219
	220	optional_policy(`
	221	libs_filetrans_named_content(puppet_t)
	222	')
	223
	224	optional_policy(`
	225	miscfiles_filetrans_named_content(puppet_t)
	226	')
	227
	228	optional_policy(`
	229	mta_filetrans_named_content(puppet_t)
	230	')
	231
	232	optional_policy(`
	233	modules_filetrans_named_content(puppet_t)
	234	')
	235
	236	optional_policy(`
	237	networkmanager_filetrans_named_content(puppet_t)
	238	')
	239
	240	optional_policy(`
	241	nx_filetrans_named_content(puppet_t)
	242	')
	243
	244	optional_policy(`
	245	postfix_filetrans_named_content(puppet_t)
	246	')
	247
	248	optional_policy(`
	249	quota_filetrans_named_content(puppet_t)
	250	')
	251
	252	optional_policy(`
	253	sysnet_filetrans_named_content(puppet_t)
	254	')
	255
	256	optional_policy(`
	257	virt_filetrans_home_content(puppet_t)
	258	')
	259
260	optional_policy(`
261	ssh_filetrans_admin_home_content(puppet_t)
262	')
263
51b8b4c0 DW	264	########################################
	265	#
	266	# PuppetCA personal policy
	267	#
	268
	269	allow puppetca_t self:capability { dac_override setgid setuid };
	270	allow puppetca_t self:fifo_file rw_fifo_file_perms;
	271
	272	read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
	273
	274	allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
	275	manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
	276	manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
	277
	278	allow puppetca_t puppet_log_t:dir search_dir_perms;
	279
	280	allow puppetca_t puppet_var_run_t:dir search_dir_perms;
	281
	282	kernel_read_system_state(puppetca_t)
	283	# Maybe dontaudit this like we did with other puppet domains?
	284	kernel_read_kernel_sysctls(puppetca_t)
	285
	286	corecmd_exec_bin(puppetca_t)
	287	corecmd_exec_shell(puppetca_t)
	288
	289	dev_read_urand(puppetca_t)
	290	dev_search_sysfs(puppetca_t)
	291
	292	files_read_etc_files(puppetca_t)
	293	files_search_var_lib(puppetca_t)
	294
	295	selinux_validate_context(puppetca_t)
	296
	297	logging_search_logs(puppetca_t)
	298
	299	miscfiles_read_localization(puppetca_t)
	300	miscfiles_read_generic_certs(puppetca_t)
	301
	302	seutil_read_file_contexts(puppetca_t)
	303
	304	optional_policy(`
	305	hostname_exec(puppetca_t)
	306	')
	307
	308	optional_policy(`
	309	mta_sendmail_access_check(puppetca_t)
	310	')
	311
	312	optional_policy(`
6e4e4f69 MG	313	usermanage_access_check_groupadd(puppet_t)
	314	usermanage_access_check_passwd(puppet_t)
	315	usermanage_access_check_useradd(puppet_t)
51b8b4c0 DW	316	')
51b8b4c0 DW	317
e8779130 CG	318	########################################
e8779130 CG	319	#
7933b71c	320	# Puppet master personal policy
e8779130 CG	321	#
	322
	323	allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
e8779130	324	allow puppetmaster_t self:process { signal_perms getsched setsched };
e6d8fd1e CP	325	allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
e6d8fd1e CP	326	allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
e8779130 CG	327	allow puppetmaster_t self:socket create;
e8779130 CG	328	allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
e8779130 CG	329
	330	list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
	331	read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
	332
0f7c4002 DG	333	allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
0f7c4002 DG	334	allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
e6d8fd1e	335	logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
83029ff3	336	allow puppetmaster_t puppet_log_t:file relabel_file_perms;
e6d8fd1e CP	337
e6d8fd1e CP	338	manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
e8779130	339	manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
83029ff3	340	allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
131bfd09	341	allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
e8779130 CG	342
e8779130 CG	343	setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
6727af96	344	create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
e8779130 CG	345	manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
e8779130 CG	346	files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
83029ff3	347	allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
e8779130	348
e8779130 CG	349	manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
	350	manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
	351	files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
83029ff3	352	allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
e8779130	353
e6d8fd1e	354	kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
0ab814bf	355	kernel_read_network_state(puppetmaster_t)
e6d8fd1e CP	356	kernel_read_system_state(puppetmaster_t)
e6d8fd1e CP	357	kernel_read_crypto_sysctls(puppetmaster_t)
3eaa9939	358	kernel_read_kernel_sysctls(puppetmaster_t)
e6d8fd1e CP	359
	360	corecmd_exec_bin(puppetmaster_t)
	361	corecmd_exec_shell(puppetmaster_t)
e8779130 CG	362
	363	corenet_all_recvfrom_netlabel(puppetmaster_t)
	364	corenet_all_recvfrom_unlabeled(puppetmaster_t)
e8779130 CG	365	corenet_tcp_sendrecv_generic_if(puppetmaster_t)
e8779130 CG	366	corenet_tcp_sendrecv_generic_node(puppetmaster_t)
e8779130	367	corenet_tcp_bind_generic_node(puppetmaster_t)
e6d8fd1e CP	368	corenet_tcp_bind_puppet_port(puppetmaster_t)
e6d8fd1e CP	369	corenet_sendrecv_puppet_server_packets(puppetmaster_t)
e8779130	370
51b8b4c0 DW	371	# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
	372	corenet_udp_bind_generic_node(puppetmaster_t)
	373	corenet_udp_bind_generic_port(puppetmaster_t)
	374
e8779130 CG	375	dev_read_rand(puppetmaster_t)
e8779130 CG	376	dev_read_urand(puppetmaster_t)
fcafda3a	377	dev_search_sysfs(puppetmaster_t)
e8779130 CG	378
e8779130 CG	379	domain_read_all_domains_state(puppetmaster_t)
01f4082a	380	domain_obj_id_change_exemption(puppetmaster_t)
e8779130	381
cca142fc	382	files_read_usr_files(puppetmaster_t)
e8779130	383
3eaa9939 DW	384	selinux_validate_context(puppetmaster_t)
3eaa9939 DW	385
8bb61f57 DG	386	auth_use_nsswitch(puppetmaster_t)
8bb61f57 DG	387
e8779130 CG	388	logging_send_syslog_msg(puppetmaster_t)
	389
	390	miscfiles_read_localization(puppetmaster_t)
09244616	391	miscfiles_read_generic_certs(puppetmaster_t)
e8779130	392
3eaa9939 DW	393	seutil_read_file_contexts(puppetmaster_t)
3eaa9939 DW	394
e8779130 CG	395	sysnet_run_ifconfig(puppetmaster_t, system_r)
e8779130 CG	396
3eaa9939 DW	397	mta_send_mail(puppetmaster_t)
3eaa9939 DW	398
0cc202b2	399	optional_policy(`
51b8b4c0 DW	400	tunable_policy(`puppetmaster_use_db',`
	401	mysql_stream_connect(puppetmaster_t)
	402	')
0cc202b2 MG	403	')
	404
	405	optional_policy(`
51b8b4c0 DW	406	tunable_policy(`puppetmaster_use_db',`
	407	postgresql_stream_connect(puppetmaster_t)
	408	')
0cc202b2 MG	409	')
0cc202b2 MG	410
e8779130 CG	411	optional_policy(`
	412	hostname_exec(puppetmaster_t)
	413	')
	414
	415	optional_policy(`
	416	files_read_usr_symlinks(puppetmaster_t)
	417
	418	rpm_exec(puppetmaster_t)
	419	rpm_read_db(puppetmaster_t)
	420	')
f9bbd9cf DW	421
f9bbd9cf DW	422	optional_policy(`
884c081a DG	423	usermanage_access_check_groupadd(puppetmaster_t)
	424	usermanage_access_check_passwd(puppetmaster_t)
	425	usermanage_access_check_useradd(puppetmaster_t)
f9bbd9cf	426	')