| 1 |
commit: 545b803c06726d7b5f28a244b7ae4f9a92a353ef |
| 2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Jan 31 19:25:33 2022 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Jan 31 19:25:33 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=545b803c |
| 7 |
|
| 8 |
puppet: Update gentoo-specific tunable to fix selint error |
| 9 |
|
| 10 |
Can use files_relabel_all_non_security_file_types instead of the |
| 11 |
gen_require hack |
| 12 |
|
| 13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 14 |
|
| 15 |
policy/modules/admin/puppet.te | 24 ++---------------------- |
| 16 |
1 file changed, 2 insertions(+), 22 deletions(-) |
| 17 |
|
| 18 |
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te |
| 19 |
index 8e7c20c3..3d5a832b 100644 |
| 20 |
--- a/policy/modules/admin/puppet.te |
| 21 |
+++ b/policy/modules/admin/puppet.te |
| 22 |
@@ -370,28 +370,8 @@ ifdef(`distro_gentoo',` |
| 23 |
usermanage_domtrans_passwd(puppet_t) |
| 24 |
|
| 25 |
tunable_policy(`puppet_manage_all_files',` |
| 26 |
- # We should use files_relabel_all_files here, but it calls |
| 27 |
- # seutil_relabelto_bin_policy which sets a "typeattribute type attr", |
| 28 |
- # which is not allowed within a tunable_policy. |
| 29 |
- # So, we duplicate the content of files_relabel_all_files except for |
| 30 |
- # the policy configuration stuff and hope users do that through Portage |
| 31 |
- |
| 32 |
- gen_require(` #selint-disable:S-001 |
| 33 |
- attribute file_type; |
| 34 |
- attribute security_file_type; |
| 35 |
- type policy_config_t; |
| 36 |
- ') |
| 37 |
- |
| 38 |
- allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; |
| 39 |
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 40 |
- relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 41 |
- relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 42 |
- relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 43 |
- relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 44 |
- # this is only relabelfrom since there should be no |
| 45 |
- # device nodes with file types. |
| 46 |
- relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 47 |
- relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) |
| 48 |
+ # Also allows relabelfrom blk and chr_files which are not in files_manage_non_auth_files |
| 49 |
+ files_relabel_all_non_security_file_types(puppet_t) |
| 50 |
') |
| 51 |
|
| 52 |
optional_policy(` |
Archives