[PATCH] puppet

[PATCH] puppet

[Russell Coker]

This patch goes most of the way towards making puppet usable.  It got puppet
working for me to the stage where I decided I don't want to use puppet.

I think it's worthy of inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20210203/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
 kernel_read_net_sysctls(puppet_t)
 kernel_read_network_state(puppet_t)
 
+corecmd_bin_entry_type(puppet_t)
 corecmd_exec_bin(puppet_t)
 corecmd_exec_shell(puppet_t)
 corecmd_read_all_executables(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
 allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 
@@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
 kernel_read_crypto_sysctls(puppetmaster_t)
 kernel_read_kernel_sysctls(puppetmaster_t)
 
+corecmd_bin_entry_type(puppetmaster_t)
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
 

Re: [PATCH] puppet

[Daniel Burgener]

On 2/13/2022 5:17 AM, Russell Coker wrote:
> This patch goes most of the way towards making puppet usable.  It got puppet
> working for me to the stage where I decided I don't want to use puppet.
> 
> I think it's worthy of inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
> @@ -11,6 +11,7 @@
>   /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
>   /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>   
> +/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
>   /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
>   
>   /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
> Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
> +++ refpolicy-2.20210203/policy/modules/admin/puppet.te
> @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
>   type puppet_tmp_t;
>   files_tmp_file(puppet_tmp_t)
>   
> +type puppet_cache_t;
> +files_type(puppet_cache_t)
> +

It looks to me like there are no rules added here.  If I understand 
everything right, under the current puppet policy, /var/cache/puppet/* 
was labeled var_t, and I see that the current policy has 
files_rw_var_files(puppet_t) in an optional block on line 185.  That 
makes me suspect that this line could be changed to rw puppet_cache_t. 
That would likely keep this patch from reducing puppet functionality in 
scenarios where it needs the cache, and also avoid the (presumably 
excessive) var_t access it has now.

I'm no puppet expert, so maybe this is all off base, but it feels weird 
to add this type, but add no rules for it and it seems like puppet 
should probably be able to use its cache files.

-Daniel

>   type puppet_var_lib_t;
>   files_type(puppet_var_lib_t)
>   
> @@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
>   kernel_read_net_sysctls(puppet_t)
>   kernel_read_network_state(puppet_t)
>   
> +corecmd_bin_entry_type(puppet_t)
>   corecmd_exec_bin(puppet_t)
>   corecmd_exec_shell(puppet_t)
>   corecmd_read_all_executables(puppet_t)
> @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
>   allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
>   append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
>   logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
>   
> @@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
>   kernel_read_crypto_sysctls(puppetmaster_t)
>   kernel_read_kernel_sysctls(puppetmaster_t)
>   
> +corecmd_bin_entry_type(puppetmaster_t)
>   corecmd_exec_bin(puppetmaster_t)
>   corecmd_exec_shell(puppetmaster_t)
>