commit: 65a238f2432caf176b7a27b332622aa810bfaf9f
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 10 18:03:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 10:40:16 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65a238f2
Salt policy
---
policy/modules/contrib/salt.fc | 29 +++++
policy/modules/contrib/salt.if | 88 +++++++++++++
policy/modules/contrib/salt.te | 289 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 406 insertions(+)
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc
new file mode 100644
index 0000000..399f5ad
--- /dev/null
+++ b/policy/modules/contrib/salt.fc
@@ -0,0 +1,29 @@
+/etc/salt(/.*)? gen_context(system_u:object_r:salt_etc_t,s0)
+/etc/salt/pki(/.*)? gen_context(system_u:object_r:salt_pki_t,s0)
+/etc/salt/pki/master(/.*)?
gen_context(system_u:object_r:salt_master_pki_t,s0)
+/etc/salt/pki/minion(/.*)?
gen_context(system_u:object_r:salt_minion_pki_t,s0)
+
+/etc/rc\.d/init\.d/salt-master --
gen_context(system_u:object_r:salt_master_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/salt-minion --
gen_context(system_u:object_r:salt_minion_initrc_exec_t,s0)
+
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-master --
gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/lib/python-exec/python[0-9]?\.[0-9]?/salt-minion --
gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/usr/bin/salt-master --
gen_context(system_u:object_r:salt_master_exec_t,s0)
+/usr/bin/salt-minion --
gen_context(system_u:object_r:salt_minion_exec_t,s0)
+
+/var/log/salt -d gen_context(system_u:object_r:salt_log_t,s0)
+/var/log/salt/master --
gen_context(system_u:object_r:salt_master_log_t,s0)
+/var/log/salt/minion --
gen_context(system_u:object_r:salt_minion_log_t,s0)
+
+/var/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0)
+/var/run/salt/master(/.*)?
gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt/minion(/.*)?
gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+/var/run/salt-master\.pid --
gen_context(system_u:object_r:salt_master_var_run_t,s0)
+/var/run/salt-minion\.pid --
gen_context(system_u:object_r:salt_minion_var_run_t,s0)
+
+/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0)
+/var/cache/salt/master(/.*)?
gen_context(system_u:object_r:salt_master_cache_t,s0)
+/var/cache/salt/minion(/.*)?
gen_context(system_u:object_r:salt_minion_cache_t,s0)
+
+/srv/salt(/.*)? gen_context(system_u:object_r:salt_sls_t,s0)
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if
new file mode 100644
index 0000000..7ab9e6b
--- /dev/null
+++ b/policy/modules/contrib/salt.if
@@ -0,0 +1,88 @@
+## <summary>Infrastructure management toolset</summary>
+
+#########################################
+## <summary>
+## All the rules required to administer a salt master environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_master',`
+ gen_require(`
+ type salt_master_t;
+ type salt_master_initrc_exec_t;
+ type salt_master_exec_t;
+ type salt_etc_t;
+ type salt_var_run_t;
+ type salt_master_var_run_t;
+ attribute_role salt_master_roles;
+ ')
+
+ allow $1 salt_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_master_t)
+
+ init_labeled_script_domtrans($1, salt_master_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_master_initrc_exec_t system_r;
+
+ # for debugging?
+ role_transition $2 salt_master_exec_t system_r;
+ domtrans_pattern($1, salt_master_exec_t, salt_master_t)
+
+ roleattribute $2 salt_master_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+
+ allow $1 salt_var_run_t:dir search_dir_perms;
+ stream_connect_pattern($1, salt_master_var_run_t,
salt_master_var_run_t, salt_master_t)
+')
+
+#########################################
+## <summary>
+## All the rules required to administer a salt minion environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`salt_admin_minion',`
+ gen_require(`
+ type salt_minion_t;
+ type salt_minion_initrc_exec_t;
+ type salt_minion_exec_t;
+ type salt_etc_t;
+ attribute_role salt_minion_roles;
+ ')
+
+ allow $1 salt_minion_t:process { ptrace signal_perms };
+ ps_process_pattern($1, salt_minion_t)
+
+ init_labeled_script_domtrans($1, salt_minion_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 salt_minion_initrc_exec_t system_r;
+
+ # for debugging
+ role_transition $2 salt_minion_exec_t system_r;
+ domtrans_pattern($1, salt_minion_exec_t, salt_minion_t)
+
+ roleattribute $2 salt_minion_roles;
+
+ files_list_etc($1)
+ admin_pattern($1, salt_etc_t, salt_etc_t)
+')
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
new file mode 100644
index 0000000..35dc162
--- /dev/null
+++ b/policy/modules/contrib/salt.te
@@ -0,0 +1,289 @@
+policy_module(salt, 1.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine wether the salt minion can manage nfs files
+## </p>
+## </desc>
+gen_tunable(salt_minion_use_nfs, false)
+
+attribute_role salt_master_roles;
+roleattribute system_r salt_master_roles;
+
+attribute_role salt_minion_roles;
+roleattribute system_r salt_minion_roles;
+
+type salt_master_t;
+type salt_master_exec_t;
+init_daemon_domain(salt_master_t, salt_master_exec_t)
+role salt_master_roles types salt_master_t;
+
+type salt_master_cache_t;
+files_type(salt_master_cache_t)
+
+type salt_master_initrc_exec_t;
+init_script_file(salt_master_initrc_exec_t)
+
+type salt_master_log_t;
+logging_log_file(salt_master_log_t)
+
+type salt_master_pki_t;
+files_type(salt_master_pki_t)
+
+type salt_master_tmp_t;
+files_tmp_file(salt_master_tmp_t)
+
+type salt_master_var_run_t;
+init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid")
+files_pid_file(salt_master_var_run_t)
+
+type salt_minion_t;
+type salt_minion_exec_t;
+init_daemon_domain(salt_minion_t, salt_minion_exec_t)
+role salt_minion_roles types salt_minion_t;
+
+type salt_minion_cache_t;
+files_type(salt_minion_cache_t)
+
+type salt_minion_initrc_exec_t;
+init_script_file(salt_minion_initrc_exec_t)
+
+type salt_minion_log_t;
+logging_log_file(salt_minion_log_t)
+
+type salt_minion_pki_t;
+files_type(salt_minion_pki_t)
+
+type salt_minion_tmp_t;
+files_tmp_file(salt_minion_tmp_t)
+
+type salt_minion_var_run_t;
+init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid")
+files_pid_file(salt_minion_var_run_t)
+
+type salt_cache_t;
+files_type(salt_cache_t)
+
+type salt_etc_t;
+files_config_file(salt_etc_t)
+
+type salt_log_t;
+logging_log_file(salt_log_t)
+
+type salt_sls_t;
+files_type(salt_sls_t)
+
+type salt_pki_t;
+files_type(salt_pki_t)
+
+type salt_var_run_t;
+files_pid_file(salt_var_run_t)
+
+#########################################
+#
+# salt_master_t policy
+#
+
+allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability2 block_suspend;
+allow salt_master_t self:process signal;
+allow salt_master_t self:tcp_socket create_stream_socket_perms;
+allow salt_master_t self:udp_socket create_socket_perms;
+allow salt_master_t self:fifo_file rw_fifo_file_perms;
+allow salt_master_t self:netlink_route_socket rw_netlink_socket_perms;
+allow salt_master_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_master_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_master_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_master_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_master_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_master_t, salt_log_t, dir, "salt")
+
+# salt_master_cache_t
+manage_dirs_pattern(salt_master_t, salt_cache_t, salt_master_cache_t)
+allow salt_master_t salt_master_cache_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_cache_t, salt_master_cache_t, dir,
"master")
+
+# salt_master_log_t
+manage_files_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+manage_dirs_pattern(salt_master_t, salt_log_t, salt_master_log_t)
+filetrans_pattern(salt_master_t, salt_log_t, salt_master_log_t, { file dir })
+
+# salt_master_pki_t
+manage_dirs_pattern(salt_master_t, salt_pki_t, salt_master_pki_t)
+allow salt_master_t salt_master_pki_t:file manage_file_perms;
+filetrans_pattern(salt_master_t, salt_pki_t, salt_master_pki_t, dir, "master")
+
+# salt_master_tmp_t
+manage_files_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+manage_dirs_pattern(salt_master_t, salt_master_tmp_t, salt_master_tmp_t)
+files_tmp_filetrans(salt_master_t, salt_master_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_master_t, salt_master_tmp_t)
+
+# salt_master_var_run_t
+allow salt_master_t salt_master_var_run_t:file manage_file_perms;
+allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t)
+filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_sls_t
+read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t)
+allow salt_master_t salt_sls_t:dir list_dir_perms;
+
+# salt_var_run_t
+allow salt_master_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_master_t, salt_master_var_run_t, file,
"salt-master.pid")
+
+kernel_read_network_state(salt_master_t)
+kernel_read_system_state(salt_master_t)
+
+corecmd_exec_bin(salt_master_t)
+corecmd_exec_shell(salt_master_t)
+
+corenet_tcp_bind_generic_node(salt_master_t)
+# Actually only 4505 and 4506, need to create a salt_master tcp port for that
+corenet_tcp_bind_salt_port(salt_master_t)
+#corenet_tcp_bind_all_unreserved_ports(salt_master_t)
+
+dev_read_sysfs(salt_master_t)
+
+sysnet_exec_ifconfig(salt_master_t)
+sysnet_read_config(salt_master_t)
+
+domain_dontaudit_exec_all_entry_files(salt_master_t)
+
+files_read_etc_files(salt_master_t)
+files_read_usr_files(salt_master_t)
+
+getty_use_fds(salt_master_t)
+
+miscfiles_read_localization(salt_master_t)
+
+userdom_use_user_terminals(salt_master_t)
+userdom_dontaudit_list_user_home_dirs(salt_master_t)
+
+
+#########################################
+#
+# salt_minion_t policy
+#
+
+allow salt_minion_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_minion_t self:capability2 block_suspend;
+allow salt_minion_t self:process { signull };
+allow salt_minion_t self:tcp_socket create_stream_socket_perms;
+allow salt_minion_t self:udp_socket create_socket_perms;
+allow salt_minion_t self:unix_dgram_socket create_socket_perms;
+allow salt_minion_t self:fifo_file rw_fifo_file_perms;
+allow salt_minion_t self:netlink_route_socket rw_netlink_socket_perms;
+#allow salt_minion_t self:unix_stream_socket connectto;
+
+# salt_cache_t
+allow salt_minion_t salt_cache_t:dir create_dir_perms;
+files_var_filetrans(salt_minion_t, salt_cache_t, dir, "salt")
+
+# salt_etc_t
+read_files_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+list_dirs_pattern(salt_minion_t, salt_etc_t, salt_etc_t)
+
+# salt_log_t
+allow salt_minion_t salt_log_t:dir create_dir_perms;
+logging_log_filetrans(salt_minion_t, salt_log_t, dir, "salt")
+
+# salt_minion_cache_t
+manage_dirs_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t)
+allow salt_minion_t salt_minion_cache_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_cache_t, salt_minion_cache_t, dir,
"minion")
+
+# salt_minion_log_t
+manage_files_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+manage_dirs_pattern(salt_minion_t, salt_log_t, salt_minion_log_t)
+filetrans_pattern(salt_minion_t, salt_log_t, salt_minion_log_t, { file dir })
+
+# salt_minion_pki_t
+manage_dirs_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t)
+allow salt_minion_t salt_minion_pki_t:file manage_file_perms;
+filetrans_pattern(salt_minion_t, salt_pki_t, salt_minion_pki_t, dir, "minion")
+
+# salt_minion_tmp_t
+manage_files_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+manage_dirs_pattern(salt_minion_t, salt_minion_tmp_t, salt_minion_tmp_t)
+files_tmp_filetrans(salt_minion_t, salt_minion_tmp_t, { file dir })
+# libffi, screw you
+can_exec(salt_minion_t, salt_minion_tmp_t)
+
+# salt_minion_var_run_t
+allow salt_minion_t salt_minion_var_run_t:file manage_file_perms;
+allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms;
+manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t)
+filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir)
+
+# salt_pki_t
+create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t)
+filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki")
+
+# salt_var_run_t
+allow salt_minion_t salt_var_run_t:dir create_dir_perms;
+files_pid_filetrans(salt_minion_t, salt_var_run_t, dir)
+files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file,
"salt-minion.pid")
+
+kernel_read_network_state(salt_minion_t)
+kernel_read_system_state(salt_minion_t)
+kernel_rw_all_sysctls(salt_minion_t)
+
+corecmd_exec_bin(salt_minion_t)
+corecmd_exec_shell(salt_minion_t)
+
+#corenet_tcp_bind_generic_node(salt_minion_t)
+# Actually only 4505 and 4506, need to create a salt_minion tcp port for that
+#corenet_tcp_bind_all_unreserved_ports(salt_minion_t)
+corenet_tcp_connect_salt_port(salt_minion_t)
+#corenet_tcp_connect_all_unreserved_ports(salt_minion_t)
+
+dev_read_sysfs(salt_minion_t)
+
+sysnet_exec_ifconfig(salt_minion_t)
+sysnet_read_config(salt_minion_t)
+
+domain_dontaudit_exec_all_entry_files(salt_minion_t)
+
+files_manage_all_non_security_file_types(salt_minion_t)
+#files_getattr_all_files(salt_minion_t)
+#files_read_etc_files(salt_minion_t)
+#files_read_etc_runtime_files(salt_minion_t)
+#files_read_usr_files(salt_minion_t)
+
+fs_getattr_all_fs(salt_minion_t)
+
+getty_use_fds(salt_minion_t)
+
+miscfiles_read_localization(salt_minion_t)
+
+userdom_use_user_terminals(salt_minion_t)
+userdom_dontaudit_list_user_home_dirs(salt_minion_t)
+
+tunable_policy(`salt_minion_use_nfs',`
+ fs_manage_nfs_files(salt_minion_t)
+')
+
+optional_policy(`
+ portage_run(salt_minion_t, salt_minion_roles)
+')
+
