FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 07-10-2011, 09:49 PM
Matthew Thode
 
Default selinux puppet update for 2.6.8

First, puppet and puppetmaster are both in /usr/bin not /usr/sbin anymore
And here is what I needed to add to the policy.
module puppetlocal 1.0;
require {** * * *type sendmail_exec_t;** * * *type puppet_t;** * * *type proc_net_t;** * * *type mount_exec_t;** * * *type portage_exec_t;** * * *type passwd_exec_t;** * * *type initrc_notrans_exec_t;** * * *class capability dac_read_search;** * * *class dir search;** * * *class file { execute read open getattr execute_no_trans };}
#============= puppet_t ==============allow puppet_t initrc_notrans_exec_t:file execute;allow puppet_t mount_exec_t:file { execute execute_no_trans };allow puppet_t passwd_exec_t:file execute;allow puppet_t portage_exec_t:file execute;allow puppet_t proc_net_t:dir search;allow puppet_t proc_net_t:file { read getattr open };allow puppet_t self:capability dac_read_search;allow puppet_t sendmail_exec_t:file execute;

-- Matthew Thode
 
Old 07-11-2011, 12:17 PM
Sven Vermeulen
 
Default selinux puppet update for 2.6.8

On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
> #============= puppet_t ==============
> allow puppet_t initrc_notrans_exec_t:file execute;
> allow puppet_t self:capability dac_read_search;

These two I find a bit strange. When do you encounter the need for
initrc_notrans_exec_t execute rights? I guess you're running rc-status or
rc-update at that point? I can have it work using a puppet_t ->
puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t)
but this is not something you can do with audit2allow, so if the above was
sufficient to make things work...

Also, the dac_read_search capability is something that allows a root user to
read/search files, even if the owner of those files isn't root. In regular
DAC, this is "normal" (root can do everything) but not always necessary. If
you do not allow this, what happens then?

My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
want to test things out, you can subscribe to the overlay or put the
necessary files in your own.

[1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet

Wkr,
Sven Vermeulen
 
Old 07-11-2011, 01:25 PM
Matthew Thode
 
Default selinux puppet update for 2.6.8

You can use puppet to manage services (make sure they are running and in
the proper runlevel). What I emailed you worked for me.
exec_no_trans is required for rc-update

type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans }
for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033
scontext=system_u:system_ruppet_t
tcontext=system_ubject_r:initrc_notrans_exec_t tclass=file

I don't see selinux-puppet-2.20101213-r1 in the overlay.

-- Matthew Thode

On 7/11/11 7:17 AM, "Sven Vermeulen" <sven.vermeulen@siphos.be> wrote:

>On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
>> #============= puppet_t ==============
>> allow puppet_t initrc_notrans_exec_t:file execute;
>> allow puppet_t self:capability dac_read_search;
>
>These two I find a bit strange. When do you encounter the need for
>initrc_notrans_exec_t execute rights? I guess you're running rc-status or
>rc-update at that point? I can have it work using a puppet_t ->
>puppet_initrc_notrans_t -> puppet_t transition set (like we do for
>sysadm_t)
>but this is not something you can do with audit2allow, so if the above was
>sufficient to make things work...
>
>Also, the dac_read_search capability is something that allows a root user
>to
>read/search files, even if the owner of those files isn't root. In regular
>DAC, this is "normal" (root can do everything) but not always necessary.
>If
>you do not allow this, what happens then?
>
>My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
>want to test things out, you can subscribe to the overlay or put the
>necessary files in your own.
>
>[1]
>https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6
>285189a1d9fa27/sec-policy/selinux-puppet
>
>Wkr,
> Sven Vermeulen
>
 

Thread Tools




All times are GMT. The time now is 05:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org