From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-723057-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 64F8E13877A
	for <garchives@archives.gentoo.org>; Fri, 15 Aug 2014 11:51:17 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 59389E0959;
	Fri, 15 Aug 2014 11:51:16 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AA0B4E0959
	for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 11:51:15 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 44D34340287
	for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 11:51:14 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 08DDA18816
	for <gentoo-commits@lists.gentoo.org>; Fri, 15 Aug 2014 11:51:13 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1408103457.a9afa8e22feb6f7102d0c2c3b0199f5343d179b7.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/salt.fc policy/modules/contrib/salt.if policy/modules/contrib/salt.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: a9afa8e22feb6f7102d0c2c3b0199f5343d179b7
X-VCS-Branch: salt
Date: Fri, 15 Aug 2014 11:51:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: bfcd806d-5a4d-4b5a-90c4-40a2c3749639
X-Archives-Hash: b5b2f8df707632c44a6d342ed34a0bdb

commit:     a9afa8e22feb6f7102d0c2c3b0199f5343d179b7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 11:50:57 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a9afa8e2

Salt policy

---
 policy/modules/contrib/salt.fc |  29 ++++
 policy/modules/contrib/salt.if |  88 ++++++++++++
 policy/modules/contrib/salt.te | 315 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 432 insertions(+)

diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)?	gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)?	gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)?	gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)?	gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master	--	gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion	--	gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master	--	gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion	--	gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master	--	gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion	--	gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt	-d	gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master	--	gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion	--	gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt	-d	gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)?	gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)?	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid	--	gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid	--	gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt	-d	gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)?	gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)?	gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)?	gen_context(system_u:object_r:salt_sls_t,s0)

diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+##	All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`salt_admin_master',`
+	gen_require(`
+		type salt_master_t;
+		type salt_master_initrc_exec_t;
+		type salt_master_exec_t;
+		type salt_etc_t;
+		type salt_var_run_t;
+		type salt_master_var_run_t;
+		attribute_role salt_master_roles;
+	')
+
+	allow $1 salt_master_t:process { ptrace signal_perms };
+	ps_process_pattern($1, salt_master_t)
+
+	init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 salt_master_initrc_exec_t system_r;
+
+	# for debugging?
+	role_transition $2 salt_master_exec_t system_r;
+	domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+	roleattribute $2 salt_master_roles;
+
+	files_list_etc($1)
+	admin_pattern($1, salt_etc_t, salt_etc_t)
+
+	allow $1 salt_var_run_t:dir search_dir_perms;
+	stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+##	All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+	gen_require(`
+		type salt_minion_t;
+		type salt_minion_initrc_exec_t;
+		type salt_minion_exec_t;
+		type salt_etc_t;
+		attribute_role salt_minion_roles;
+	')
+
+	allow $1 salt_minion_t:process { ptrace signal_perms };
+	ps_process_pattern($1, salt_minion_t)
+
+	init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 salt_minion_initrc_exec_t system_r;
+
+	# for debugging
+	role_transition $2 salt_minion_exec_t system_r;
+	domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+	roleattribute $2 salt_minion_roles;
+
+	files_list_etc($1)
+	admin_pattern($1, salt_etc_t, salt_etc_t)
+')

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..ba10e45
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,315 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine wether the salt master can read NFS files
+##	</p>
+## </desc>
+gen_tunable(salt_master_read_nfs, false)
+
+## <desc>
+##	<p>
+##	Determine wether the salt minion can manage NFS files
+##	</p>
+## </desc>
+gen_tunable(salt_minion_manage_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+allow salt_master_t self:unix_dgram_socket create_socket_perms;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir, "master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+domain_use_interactive_fds(salt_master_t)
+domain_dontaudit_search_all_domains_state(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_dontaudit_search_all_dirs(salt_master_t)
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+tunable_policy(`salt_master_read_nfs',`
+	fs_read_nfs_files(salt_master_t)
+')
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir, "minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_search_all_domains_state(salt_minion_t)
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+optional_policy(`
+	auth_read_shadow(salt_minion_t)
+')
+
+optional_policy(`
+	usermanage_run_useradd(salt_minion_t, salt_minion_roles)
+	usermanage_run_groupadd(salt_minion_t, salt_minion_roles)
+	usermanage_run_passwd(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
+	portage_run(salt_minion_t, salt_minion_roles)
+')
+
+tunable_policy(`salt_minion_manage_nfs',`
+	fs_manage_nfs_files(salt_master_t)
+')