Gentoo Archives: gentoo-hardened

From:	Matthew Thode <mthode@××××××.org>
To:	"gentoo-hardened@l.g.o" <gentoo-hardened@l.g.o>
Subject:	[gentoo-hardened] selinux puppet update for 2.6.8
Date:	Sun, 10 Jul 2011 22:02:41
Message-Id:	`CA3F888B.290A%mthode@mthode.org`

1	First, puppet and puppetmaster are both in /usr/bin not /usr/sbin anymore
2
3	And here is what I needed to add to the policy.
4
5	module puppetlocal 1.0;
6
7	require {
8	type sendmail_exec_t;
9	type puppet_t;
10	type proc_net_t;
11	type mount_exec_t;
12	type portage_exec_t;
13	type passwd_exec_t;
14	type initrc_notrans_exec_t;
15	class capability dac_read_search;
16	class dir search;
17	class file { execute read open getattr execute_no_trans };
18	}
19
20	#============= puppet_t ==============
21	allow puppet_t initrc_notrans_exec_t:file execute;
22	allow puppet_t mount_exec_t:file { execute execute_no_trans };
23	allow puppet_t passwd_exec_t:file execute;
24	allow puppet_t portage_exec_t:file execute;
25	allow puppet_t proc_net_t:dir search;
26	allow puppet_t proc_net_t:file { read getattr open };
27	allow puppet_t self:capability dac_read_search;
28	allow puppet_t sendmail_exec_t:file execute;
29
30
31	-- Matthew Thode

Subject	Author
Re: [gentoo-hardened] selinux puppet update for 2.6.8	Sven Vermeulen <sven.vermeulen@××××××.be>