From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-puppet/files/, sec-policy/selinux-puppet/
Date: Sun, 17 Jul 2011 18:10:05 +0000 (UTC) [thread overview]
Message-ID: <1b6dde6ed3396cc4e1b2df752a9a2a2816d9412d.SwifT@gentoo> (raw)
commit: 1b6dde6ed3396cc4e1b2df752a9a2a2816d9412d
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jul 17 18:09:21 2011 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jul 17 18:09:21 2011 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=1b6dde6e
Enhance puppet rights
---
sec-policy/selinux-puppet/ChangeLog | 17 ++++
.../files/fix-services-puppet-r1.patch | 89 ++++++++++++++++++++
sec-policy/selinux-puppet/metadata.xml | 6 ++
.../selinux-puppet-2.20101213-r1.ebuild | 18 ++++
4 files changed, 130 insertions(+), 0 deletions(-)
diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-puppet/ChangeLog
new file mode 100644
index 0000000..d56ea3d
--- /dev/null
+++ b/sec-policy/selinux-puppet/ChangeLog
@@ -0,0 +1,17 @@
+# ChangeLog for sec-policy/selinux-puppet
+# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.2 2011/06/02 12:49:09 blueness Exp $
+
+*selinux-puppet-2.20101213-r1 (11 Jul 2011)
+
+ 11 Jul 2011; <swift@gentoo.org> +files/fix-services-puppet-r1.patch,
+ +selinux-puppet-2.20101213-r1.ebuild, +metadata.xml:
+ Extend puppet rights
+
+ 02 Jun 2011; Anthony G. Basile <blueness@gentoo.org>
+ selinux-puppet-2.20101213.ebuild:
+ Stable amd64 x86
+
+ 05 Feb 2011; Anthony G. Basile <blueness@gentoo.org> ChangeLog:
+ Initial commit to portage.
+
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
new file mode 100644
index 0000000..63056db
--- /dev/null
+++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
@@ -0,0 +1,89 @@
+--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.te 2011-07-11 22:40:28.700001278 +0200
+@@ -17,6 +17,9 @@
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+
++type puppet_initrc_notrans_t;
++role system_r types puppet_initrc_notrans_t;
++
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+
+@@ -77,7 +80,9 @@
+ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+ kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
++#kernel_dontaudit_search_kernel_sysctl(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
++kernel_read_network_state(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
+
+@@ -115,6 +120,9 @@
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++
++## system modules
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -125,12 +133,26 @@
+ miscfiles_read_hwdata(puppet_t)
+ miscfiles_read_localization(puppet_t)
+
++mount_domtrans(puppet_t)
++
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
+
+ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
++## Other modules
++
++
++usermanage_domtrans_passwd(puppet_t)
++
++tunable_policy(`gentoo_try_dontaudit',`
++ dontaudit puppet_t self:capability dac_read_search;
++ kernel_dontaudit_read_system_state(puppet_initrc_notrans_t)
++ userdom_dontaudit_use_user_terminals(puppet_t)
++')
++
++
+ tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+ ')
+@@ -144,6 +166,16 @@
+ ')
+
+ optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
++ gentoo_init_initrc_notrans(puppet_initrc_notrans_t, puppet_t)
++ portage_domtrans(puppet_t)
++ puppet_rw_tmp(puppet_initrc_notrans_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.fc 2011-07-11 14:06:20.907000356 +0200
+@@ -3,7 +3,9 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/sec-policy/selinux-puppet/metadata.xml b/sec-policy/selinux-puppet/metadata.xml
new file mode 100644
index 0000000..9c13f0a
--- /dev/null
+++ b/sec-policy/selinux-puppet/metadata.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>selinux</herd>
+ <longdescription>Gentoo SELinux policy for puppet</longdescription>
+</pkgmetadata>
diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild
new file mode 100644
index 0000000..ac80dc4
--- /dev/null
+++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213.ebuild,v 1.2 2011/06/02 12:49:09 blueness Exp $
+
+IUSE=""
+
+MODS="puppet"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for general applications"
+
+DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r19"
+RDEPEND="${DEPEND}"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-puppet-r1.patch"
next reply other threads:[~2011-07-17 18:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-17 18:10 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2011-07-21 19:21 [gentoo-commits] proj/hardened-dev:master commit in: sec-policy/selinux-puppet/files/, sec-policy/selinux-puppet/ Sven Vermeulen
2011-07-24 8:40 Sven Vermeulen
2011-08-14 8:01 Sven Vermeulen
2011-08-28 19:39 Sven Vermeulen
2011-09-13 18:40 Sven Vermeulen
2011-09-13 19:04 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b6dde6ed3396cc4e1b2df752a9a2a2816d9412d.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox