Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/puppet.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/puppet.te')
-rw-r--r--policy/modules/contrib/puppet.te409
1 files changed, 0 insertions, 409 deletions
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
deleted file mode 100644
index 9f89323d..00000000
--- a/policy/modules/contrib/puppet.te
+++ /dev/null
@@ -1,409 +0,0 @@
-policy_module(puppet, 1.3.7)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether puppet can
-## manage all non-security files.
-## </p>
-## </desc>
-gen_tunable(puppet_manage_all_files, false)
-
-attribute_role puppetca_roles;
-roleattribute system_r puppetca_roles;
-
-type puppet_t;
-type puppet_exec_t;
-init_daemon_domain(puppet_t, puppet_exec_t)
-
-type puppet_etc_t;
-files_config_file(puppet_etc_t)
-
-type puppet_initrc_exec_t;
-init_script_file(puppet_initrc_exec_t)
-
-type puppet_log_t;
-logging_log_file(puppet_log_t)
-
-type puppet_tmp_t;
-files_tmp_file(puppet_tmp_t)
-
-type puppet_var_lib_t;
-files_type(puppet_var_lib_t)
-
-type puppet_var_run_t;
-files_pid_file(puppet_var_run_t)
-init_daemon_run_dir(puppet_var_run_t, "puppet")
-
-type puppetca_t;
-type puppetca_exec_t;
-application_domain(puppetca_t, puppetca_exec_t)
-role puppetca_roles types puppetca_t;
-
-type puppetmaster_t;
-type puppetmaster_exec_t;
-init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-
-type puppetmaster_initrc_exec_t;
-init_script_file(puppetmaster_initrc_exec_t)
-
-type puppetmaster_tmp_t;
-files_tmp_file(puppetmaster_tmp_t)
-
-########################################
-#
-# Local policy
-#
-
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
-allow puppet_t self:process { signal signull getsched setsched };
-allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
-allow puppet_t self:tcp_socket { accept listen };
-allow puppet_t self:udp_socket create_socket_perms;
-
-allow puppet_t puppet_etc_t:dir list_dir_perms;
-allow puppet_t puppet_etc_t:file read_file_perms;
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
-
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
-
-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
-
-kernel_dontaudit_search_sysctl(puppet_t)
-kernel_dontaudit_search_kernel_sysctl(puppet_t)
-kernel_read_crypto_sysctls(puppet_t)
-kernel_read_kernel_sysctls(puppet_t)
-kernel_read_net_sysctls(puppet_t)
-kernel_read_network_state(puppet_t)
-
-corecmd_exec_bin(puppet_t)
-corecmd_exec_shell(puppet_t)
-corecmd_read_all_executables(puppet_t)
-
-corenet_all_recvfrom_netlabel(puppet_t)
-corenet_all_recvfrom_unlabeled(puppet_t)
-corenet_tcp_sendrecv_generic_if(puppet_t)
-corenet_tcp_sendrecv_generic_node(puppet_t)
-
-corenet_sendrecv_puppet_client_packets(puppet_t)
-corenet_tcp_connect_puppet_port(puppet_t)
-corenet_tcp_sendrecv_puppet_port(puppet_t)
-
-dev_read_rand(puppet_t)
-dev_read_sysfs(puppet_t)
-dev_read_urand(puppet_t)
-
-domain_interactive_fd(puppet_t)
-domain_read_all_domains_state(puppet_t)
-
-files_manage_config_files(puppet_t)
-files_manage_config_dirs(puppet_t)
-files_manage_etc_dirs(puppet_t)
-files_manage_etc_files(puppet_t)
-files_read_usr_files(puppet_t)
-files_read_usr_symlinks(puppet_t)
-files_relabel_config_dirs(puppet_t)
-files_relabel_config_files(puppet_t)
-files_search_var_lib(puppet_t)
-
-selinux_get_fs_mount(puppet_t)
-selinux_search_fs(puppet_t)
-selinux_set_all_booleans(puppet_t)
-selinux_set_generic_booleans(puppet_t)
-selinux_validate_context(puppet_t)
-
-term_dontaudit_getattr_unallocated_ttys(puppet_t)
-term_dontaudit_getattr_all_ttys(puppet_t)
-
-init_all_labeled_script_domtrans(puppet_t)
-init_domtrans_script(puppet_t)
-init_read_utmp(puppet_t)
-init_signull_script(puppet_t)
-
-logging_send_syslog_msg(puppet_t)
-
-miscfiles_read_hwdata(puppet_t)
-miscfiles_read_localization(puppet_t)
-
-mount_domtrans(puppet_t)
-
-seutil_domtrans_setfiles(puppet_t)
-seutil_domtrans_semanage(puppet_t)
-
-sysnet_run_ifconfig(puppet_t, system_r)
-sysnet_use_ldap(puppet_t)
-
-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
-')
-
-optional_policy(`
- cfengine_read_lib_files(puppet_t)
-')
-
-optional_policy(`
- consoletype_exec(puppet_t)
-')
-
-optional_policy(`
- hostname_exec(puppet_t)
-')
-
-optional_policy(`
- mount_domtrans(puppet_t)
-')
-
-optional_policy(`
- mta_send_mail(puppet_t)
-')
-
-optional_policy(`
- portage_domtrans(puppet_t)
- portage_domtrans_fetch(puppet_t)
- portage_domtrans_gcc_config(puppet_t)
-')
-
-optional_policy(`
- files_rw_var_files(puppet_t)
-
- rpm_domtrans(puppet_t)
- rpm_manage_db(puppet_t)
- rpm_manage_log(puppet_t)
-')
-
-optional_policy(`
- unconfined_domain(puppet_t)
-')
-
-optional_policy(`
- usermanage_domtrans_groupadd(puppet_t)
- usermanage_domtrans_useradd(puppet_t)
-')
-
-########################################
-#
-# Ca local policy
-#
-
-allow puppetca_t self:capability { dac_override setgid setuid };
-allow puppetca_t self:fifo_file rw_fifo_file_perms;
-
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
-manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-
-allow puppetca_t puppet_log_t:dir search_dir_perms;
-
-allow puppetca_t puppet_var_run_t:dir search_dir_perms;
-
-kernel_read_system_state(puppetca_t)
-kernel_read_kernel_sysctls(puppetca_t)
-
-corecmd_exec_bin(puppetca_t)
-corecmd_exec_shell(puppetca_t)
-
-dev_read_urand(puppetca_t)
-dev_search_sysfs(puppetca_t)
-
-files_read_etc_files(puppetca_t)
-files_search_pids(puppetca_t)
-files_search_var_lib(puppetca_t)
-
-selinux_validate_context(puppetca_t)
-
-logging_search_logs(puppetca_t)
-
-miscfiles_read_localization(puppetca_t)
-miscfiles_read_generic_certs(puppetca_t)
-
-seutil_read_file_contexts(puppetca_t)
-
-optional_policy(`
- hostname_exec(puppetca_t)
-')
-
-########################################
-#
-# Master local policy
-#
-
-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-allow puppetmaster_t self:process { signal_perms getsched setsched };
-allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
-allow puppetmaster_t self:socket create;
-allow puppetmaster_t self:tcp_socket { accept listen };
-
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
-
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
-
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
-files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
-files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-
-kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
-kernel_read_network_state(puppetmaster_t)
-kernel_read_system_state(puppetmaster_t)
-kernel_read_crypto_sysctls(puppetmaster_t)
-kernel_read_kernel_sysctls(puppetmaster_t)
-
-corecmd_exec_bin(puppetmaster_t)
-corecmd_exec_shell(puppetmaster_t)
-
-corenet_all_recvfrom_netlabel(puppetmaster_t)
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
-corenet_tcp_sendrecv_generic_if(puppetmaster_t)
-corenet_tcp_sendrecv_generic_node(puppetmaster_t)
-corenet_tcp_bind_generic_node(puppetmaster_t)
-
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
-corenet_tcp_bind_puppet_port(puppetmaster_t)
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
-
-dev_read_rand(puppetmaster_t)
-dev_read_urand(puppetmaster_t)
-dev_search_sysfs(puppetmaster_t)
-
-domain_obj_id_change_exemption(puppetmaster_t)
-domain_read_all_domains_state(puppetmaster_t)
-
-files_read_usr_files(puppetmaster_t)
-
-selinux_validate_context(puppetmaster_t)
-
-auth_use_nsswitch(puppetmaster_t)
-
-logging_send_syslog_msg(puppetmaster_t)
-
-miscfiles_read_generic_certs(puppetmaster_t)
-miscfiles_read_localization(puppetmaster_t)
-
-seutil_read_file_contexts(puppetmaster_t)
-
-sysnet_run_ifconfig(puppetmaster_t, system_r)
-
-optional_policy(`
- hostname_exec(puppetmaster_t)
-')
-
-optional_policy(`
- mta_send_mail(puppetmaster_t)
-')
-
-optional_policy(`
- mysql_stream_connect(puppetmaster_t)
-')
-
-optional_policy(`
- postgresql_stream_connect(puppetmaster_t)
-')
-
-optional_policy(`
- files_read_usr_symlinks(puppetmaster_t)
-
- rpm_exec(puppetmaster_t)
- rpm_read_db(puppetmaster_t)
-')
-
-ifdef(`distro_gentoo',`
- ##########################################
- #
- # Puppet master policy
- #
-
- rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
-
- manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
-
- optional_policy(`
- usermanage_check_exec_passwd(puppetmaster_t)
- usermanage_check_exec_useradd(puppetmaster_t)
- ')
-
- ###########################################
- #
- # Puppet client policy
- #
- corenet_tcp_bind_generic_node(puppet_t)
-
- corenet_sendrecv_puppetclient_server_packets(puppet_t)
- corenet_tcp_bind_puppetclient_port(puppet_t)
- corenet_tcp_sendrecv_puppetclient_port(puppet_t)
-
- usermanage_domtrans_passwd(puppet_t)
-
- tunable_policy(`puppet_manage_all_files',`
- # We should use files_relabel_all_files here, but it calls
- # seutil_relabelto_bin_policy which sets a "typeattribute type attr",
- # which is not allowed within a tunable_policy.
- # So, we duplicate the content of files_relabel_all_files except for
- # the policy configuration stuff and hope users do that through Portage
-
- gen_require(`
- attribute file_type;
- attribute security_file_type;
- type policy_config_t;
- ')
-
- allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- ')
-
- optional_policy(`
- dmidecode_domtrans(puppet_t)
- ')
-
- optional_policy(`
- init_exec_rc(puppet_t)
- portage_read_cache(puppet_t)
- portage_read_config(puppet_t)
- portage_read_ebuild(puppet_t)
- portage_run(puppet_t, system_r)
- ')
-')