|
|
1ec3d1a |
## <summary>Puppet client daemon</summary>
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Puppet is a configuration management system written in Ruby.
|
|
|
1ec3d1a |
## The client daemon is responsible for periodically requesting the
|
|
|
1ec3d1a |
## desired system state from the server and ensuring the state of
|
|
|
1ec3d1a |
## the client system matches.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute puppetca in the puppetca
|
|
|
1ec3d1a |
## domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_domtrans_puppetca',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppetca_t, puppetca_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_search_bin($1)
|
|
|
1ec3d1a |
domtrans_pattern($1, puppetca_exec_t, puppetca_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute puppetca in the puppetca
|
|
|
1ec3d1a |
## domain and allow the specified
|
|
|
1ec3d1a |
## role the puppetca domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_run_puppetca',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppetca_t, puppetca_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
puppet_domtrans_puppetca($1)
|
|
|
1ec3d1a |
role $2 types puppetca_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
################################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read / Write to Puppet temp files. Puppet uses
|
|
|
1ec3d1a |
## some system binaries (groupadd, etc) that run in
|
|
|
1ec3d1a |
## a non-puppet domain and redirects output into temp
|
|
|
1ec3d1a |
## files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
Chris PeBenito |
9401ae1 |
interface(`puppet_rw_tmp', `
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppet_tmp_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 puppet_tmp_t:file rw_inherited_file_perms;
|
|
|
1ec3d1a |
files_search_tmp($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
################################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read Puppet lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_read_lib',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppet_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
###############################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage Puppet lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_manage_lib',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppet_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Allow the specified domain to search puppet's log files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_search_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppet_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
allow $1 puppet_log_t:dir search_dir_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
e9032b5 |
## Allow the specified domain to read puppet's log files.
|
|
|
e9032b5 |
## </summary>
|
|
|
e9032b5 |
## <param name="domain">
|
|
|
e9032b5 |
## <summary>
|
|
|
e9032b5 |
## Domain allowed access.
|
|
|
e9032b5 |
## </summary>
|
|
|
e9032b5 |
## </param>
|
|
|
e9032b5 |
#
|
|
|
e9032b5 |
interface(`puppet_read_log',`
|
|
|
e9032b5 |
gen_require(`
|
|
|
e9032b5 |
type puppet_log_t;
|
|
|
e9032b5 |
')
|
|
|
e9032b5 |
|
|
|
e9032b5 |
logging_search_logs($1)
|
|
|
e9032b5 |
read_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
|
e9032b5 |
')
|
|
|
e9032b5 |
|
|
|
b0e418b |
#####################################
|
|
|
b0e418b |
## <summary>
|
|
|
b0e418b |
## Allow the specified domain to create puppet's log files.
|
|
|
b0e418b |
## </summary>
|
|
|
b0e418b |
## <param name="domain">
|
|
|
b0e418b |
## <summary>
|
|
|
b0e418b |
## Domain allowed access.
|
|
|
b0e418b |
## </summary>
|
|
|
b0e418b |
## </param>
|
|
|
b0e418b |
#
|
|
|
b0e418b |
interface(`puppet_create_log',`
|
|
|
b0e418b |
gen_require(`
|
|
|
b0e418b |
type puppet_log_t;
|
|
|
b0e418b |
')
|
|
|
b0e418b |
|
|
|
b0e418b |
logging_search_logs($1)
|
|
|
3143fa4 |
create_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
|
b0e418b |
')
|
|
|
b0e418b |
|
|
|
b0e418b |
####################################
|
|
|
b0e418b |
## <summary>
|
|
|
b0e418b |
## Allow the specified domain to append puppet's log files.
|
|
|
b0e418b |
## </summary>
|
|
|
b0e418b |
## <param name="domain">
|
|
|
b0e418b |
## <summary>
|
|
|
b0e418b |
## Domain allowed access.
|
|
|
b0e418b |
## </summary>
|
|
|
b0e418b |
## </param>
|
|
|
b0e418b |
#
|
|
|
b0e418b |
interface(`puppet_append_log',`
|
|
|
b0e418b |
gen_require(`
|
|
|
b0e418b |
type puppet_log_t;
|
|
|
b0e418b |
')
|
|
|
b0e418b |
|
|
|
b0e418b |
logging_search_logs($1)
|
|
|
3143fa4 |
append_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
|
b0e418b |
')
|
|
|
b0e418b |
|
|
|
e9032b5 |
####################################
|
|
|
e9032b5 |
## <summary>
|
|
|
31a7f66 |
## Allow the specified domain to manage puppet's log files.
|
|
|
31a7f66 |
## </summary>
|
|
|
31a7f66 |
## <param name="domain">
|
|
|
31a7f66 |
## <summary>
|
|
|
31a7f66 |
## Domain allowed access.
|
|
|
31a7f66 |
## </summary>
|
|
|
31a7f66 |
## </param>
|
|
|
31a7f66 |
#
|
|
|
31a7f66 |
interface(`puppet_manage_log',`
|
|
|
31a7f66 |
gen_require(`
|
|
|
31a7f66 |
type puppet_log_t;
|
|
|
31a7f66 |
')
|
|
|
31a7f66 |
|
|
|
31a7f66 |
logging_search_logs($1)
|
|
|
31a7f66 |
manage_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
|
31a7f66 |
')
|
|
|
31a7f66 |
|
|
|
31a7f66 |
####################################
|
|
|
31a7f66 |
## <summary>
|
|
|
e9032b5 |
## Allow the specified domain to read puppet's config files.
|
|
|
e9032b5 |
## </summary>
|
|
|
e9032b5 |
## <param name="domain">
|
|
|
e9032b5 |
## <summary>
|
|
|
e9032b5 |
## Domain allowed access.
|
|
|
e9032b5 |
## </summary>
|
|
|
e9032b5 |
## </param>
|
|
|
e9032b5 |
#
|
|
|
e9032b5 |
interface(`puppet_read_config',`
|
|
|
e9032b5 |
gen_require(`
|
|
|
e9032b5 |
type puppet_etc_t;
|
|
|
e9032b5 |
')
|
|
|
e9032b5 |
|
|
|
e9032b5 |
logging_search_logs($1)
|
|
|
e9032b5 |
list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
|
|
|
e9032b5 |
read_files_pattern($1, puppet_etc_t, puppet_etc_t)
|
|
|
e9032b5 |
')
|
|
|
e9032b5 |
|
|
|
e9032b5 |
#####################################
|
|
|
e9032b5 |
## <summary>
|
|
|
1ec3d1a |
## Allow the specified domain to search puppet's pid files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`puppet_search_pid',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type puppet_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
allow $1 puppet_var_run_t:dir search_dir_perms;
|
|
|
1ec3d1a |
')
|