]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/puppet.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Allow munin services plugins to use NSCD services
[people/stevee/selinux-policy.git] / policy / modules / services / puppet.if
1 ## <summary>Puppet client daemon</summary>
2 ## <desc>
3 ## <p>
4 ## Puppet is a configuration management system written in Ruby.
5 ## The client daemon is responsible for periodically requesting the
6 ## desired system state from the server and ensuring the state of
7 ## the client system matches.
8 ## </p>
9 ## </desc>
10
11 ########################################
12 ## <summary>
13 ## Execute puppetca in the puppetca
14 ## domain.
15 ## </summary>
16 ## <param name="domain">
17 ## <summary>
18 ## Domain allowed to transition.
19 ## </summary>
20 ## </param>
21 #
22 interface(`puppet_domtrans_puppetca',`
23 gen_require(`
24 type puppetca_t, puppetca_exec_t;
25 ')
26
27 corecmd_search_bin($1)
28 domtrans_pattern($1, puppetca_exec_t, puppetca_t)
29 ')
30
31 #####################################
32 ## <summary>
33 ## Execute puppetca in the puppetca
34 ## domain and allow the specified
35 ## role the puppetca domain.
36 ## </summary>
37 ## <param name="domain">
38 ## <summary>
39 ## Domain allowed to transition.
40 ## </summary>
41 ## </param>
42 ## <param name="role">
43 ## <summary>
44 ## Role allowed access.
45 ## </summary>
46 ## </param>
47 ## <rolecap/>
48 #
49 interface(`puppet_run_puppetca',`
50 gen_require(`
51 type puppetca_t, puppetca_exec_t;
52 ')
53
54 puppet_domtrans_puppetca($1)
55 role $2 types puppetca_t;
56 ')
57
58 ################################################
59 ## <summary>
60 ## Read / Write to Puppet temp files. Puppet uses
61 ## some system binaries (groupadd, etc) that run in
62 ## a non-puppet domain and redirects output into temp
63 ## files.
64 ## </summary>
65 ## <param name="domain">
66 ## <summary>
67 ## Domain allowed access.
68 ## </summary>
69 ## </param>
70 #
71 interface(`puppet_rw_tmp',`
72 gen_require(`
73 type puppet_tmp_t;
74 ')
75
76 allow $1 puppet_tmp_t:file rw_inherited_file_perms;
77 files_search_tmp($1)
78 ')
79
80 ################################################
81 ## <summary>
82 ## Read Puppet lib files.
83 ## </summary>
84 ## <param name="domain">
85 ## <summary>
86 ## Domain allowed access.
87 ## </summary>
88 ## </param>
89 #
90 interface(`puppet_read_lib',`
91 gen_require(`
92 type puppet_var_lib_t;
93 ')
94
95 read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
96 files_search_var_lib($1)
97 ')
98
99 ###############################################
100 ## <summary>
101 ## Manage Puppet lib files.
102 ## </summary>
103 ## <param name="domain">
104 ## <summary>
105 ## Domain allowed access.
106 ## </summary>
107 ## </param>
108 #
109 interface(`puppet_manage_lib',`
110 gen_require(`
111 type puppet_var_lib_t;
112 ')
113
114 manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
115 files_search_var_lib($1)
116 ')
117
118 ######################################
119 ## <summary>
120 ## Allow the specified domain to search puppet's log files.
121 ## </summary>
122 ## <param name="domain">
123 ## <summary>
124 ## Domain allowed access.
125 ## </summary>
126 ## </param>
127 #
128 interface(`puppet_search_log',`
129 gen_require(`
130 type puppet_log_t;
131 ')
132
133 logging_search_logs($1)
134 allow $1 puppet_log_t:dir search_dir_perms;
135 ')
136
137 #####################################
138 ## <summary>
139 ## Allow the specified domain to search puppet's pid files.
140 ## </summary>
141 ## <param name="domain">
142 ## <summary>
143 ## Domain allowed access.
144 ## </summary>
145 ## </param>
146 #
147 interface(`puppet_search_pid',`
148 gen_require(`
149 type puppet_var_run_t;
150 ')
151
152 files_search_pids($1)
153 allow $1 puppet_var_run_t:dir search_dir_perms;
154 ')
The IPFire selinux policy.