1 |
commit: 545b803c06726d7b5f28a244b7ae4f9a92a353ef |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jan 31 19:25:33 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 31 19:25:33 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=545b803c |
7 |
|
8 |
puppet: Update gentoo-specific tunable to fix selint error |
9 |
|
10 |
Can use files_relabel_all_non_security_file_types instead of the |
11 |
gen_require hack |
12 |
|
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/admin/puppet.te | 24 ++---------------------- |
16 |
1 file changed, 2 insertions(+), 22 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te |
19 |
index 8e7c20c3..3d5a832b 100644 |
20 |
--- a/policy/modules/admin/puppet.te |
21 |
+++ b/policy/modules/admin/puppet.te |
22 |
@@ -370,28 +370,8 @@ ifdef(`distro_gentoo',` |
23 |
usermanage_domtrans_passwd(puppet_t) |
24 |
|
25 |
tunable_policy(`puppet_manage_all_files',` |
26 |
- # We should use files_relabel_all_files here, but it calls |
27 |
- # seutil_relabelto_bin_policy which sets a "typeattribute type attr", |
28 |
- # which is not allowed within a tunable_policy. |
29 |
- # So, we duplicate the content of files_relabel_all_files except for |
30 |
- # the policy configuration stuff and hope users do that through Portage |
31 |
- |
32 |
- gen_require(` #selint-disable:S-001 |
33 |
- attribute file_type; |
34 |
- attribute security_file_type; |
35 |
- type policy_config_t; |
36 |
- ') |
37 |
- |
38 |
- allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; |
39 |
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
40 |
- relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
41 |
- relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
42 |
- relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
43 |
- relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
44 |
- # this is only relabelfrom since there should be no |
45 |
- # device nodes with file types. |
46 |
- relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
47 |
- relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
48 |
+ # Also allows relabelfrom blk and chr_files which are not in files_manage_non_auth_files |
49 |
+ files_relabel_all_non_security_file_types(puppet_t) |
50 |
') |
51 |
|
52 |
optional_policy(` |