Re: [PATCH] puppet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/13/2022 5:17 AM, Russell Coker wrote:
This patch goes most of the way towards making puppet usable.  It got puppet
working for me to the stage where I decided I don't want to use puppet.

I think it's worthy of inclusion.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

Index: refpolicy-2.20210203/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20210203/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
  /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
  /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/var/cache/puppet(/.*)? gen_context(system_u:object_r:puppet_cache_t,s0)
  /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20210203/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20210203/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
  type puppet_tmp_t;
  files_tmp_file(puppet_tmp_t)
+type puppet_cache_t;
+files_type(puppet_cache_t)
+

It looks to me like there are no rules added here. If I understand everything right, under the current puppet policy, /var/cache/puppet/* was labeled var_t, and I see that the current policy has files_rw_var_files(puppet_t) in an optional block on line 185. That makes me suspect that this line could be changed to rw puppet_cache_t. That would likely keep this patch from reducing puppet functionality in scenarios where it needs the cache, and also avoid the (presumably excessive) var_t access it has now.

I'm no puppet expert, so maybe this is all off base, but it feels weird to add this type, but add no rules for it and it seems like puppet should probably be able to use its cache files.

-Daniel

  type puppet_var_lib_t;
  files_type(puppet_var_lib_t)
@@ -96,6 +99,7 @@ kernel_read_kernel_sysctls(puppet_t)
  kernel_read_net_sysctls(puppet_t)
  kernel_read_network_state(puppet_t)
+corecmd_bin_entry_type(puppet_t)
  corecmd_exec_bin(puppet_t)
  corecmd_exec_shell(puppet_t)
  corecmd_read_all_executables(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
  allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
  append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
  create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
  setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
  logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
@@ -287,6 +292,7 @@ kernel_read_system_state(puppetmaster_t)
  kernel_read_crypto_sysctls(puppetmaster_t)
  kernel_read_kernel_sysctls(puppetmaster_t)
+corecmd_bin_entry_type(puppetmaster_t)
  corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux