Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp661334pxb;
        Thu, 17 Feb 2022 11:53:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyKl6P/xwMf7qMvKZZxtaaUvJ4rDu5CJxLX1x6D1ozorMC8qHVn4d+E/0W9omKay5tcSU0Q
X-Received: by 2002:a17:90a:e2cf:b0:1b8:e229:e6c3 with SMTP id fr15-20020a17090ae2cf00b001b8e229e6c3mr4590056pjb.167.1645127623130;
        Thu, 17 Feb 2022 11:53:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1645127623; cv=none;
        d=google.com; s=arc-20160816;
        b=Nn9qAG4mOROws+gW6Z+8aSa+HKo4gZMf4qUMKsHN65Uesw42Xt1QSR10MUTdX+GdPs
         0uGFG9ugp1MM7/m6Dj0mgDkBknBmLmpk5vdZ9HcEMGbYx98KLG5mm8tSqsZKgjYL0hwU
         HV2uYAppvIO44vzx4Q6Qe/agWlDVHPE+95mMBqVbDnl0uP1bC3HgccSX8qZWkz8Af3Nw
         Fk+L78i5zqY16z/zcdhTeO8jlKzheWc2Bft8+3DuhTFaFdq6F/qmKNmeHcwaSo8L1Lto
         HS18bbkQIZqmyduMMJLD4vSNqFrg+Q4N73azFAAjNcszzXxOaVWYy/lreagWKLDPp8bk
         2/yQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=nWggKTZE9Z4HpEQQcWfXffw0sy5aNX/1WC184FB1tMY=;
        b=OhQvIRW2J6/FgfnQqQJf5LNSGGeWJ22gBC3G6cXVJzA8MGGWDIvnWgMQ7Y+vWccn8o
         SmyF9KDcrpx8BCeljDzl/5x0OdkfqqVhOgYlpKphZG04nFqGo2R/a1MykHwObm/8d6yg
         va/MPsrnVbVaGb0VecVsGYVSQLPJqtpzacgU1k0v5aQbwD9e5e1Ez3Ak46RHVq25WjZB
         v6YX+KnsibsQvBsQRqpQeyKV+Bj2BzLSwxsPSzU2p9ZSnHeYG5Amzo4f5H07O00LoI/0
         hsKlBcpfzjxWggLB7YcVtZgC8483BnKtbFMZgqlhYdc8785/m7KlSeu1duydu6MX+WMK
         rjFg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=XgeNIotd;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c11si10365132pls.456.2022.02.17.11.53.37;
        Thu, 17 Feb 2022 11:53:43 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=XgeNIotd;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236184AbiBQOqC (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 22 others); Thu, 17 Feb 2022 09:46:02 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:53862 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239810AbiBQOqB (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 17 Feb 2022 09:46:01 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE7542B1ABD
        for <selinux-refpolicy@vger.kernel.org>; Thu, 17 Feb 2022 06:45:45 -0800 (PST)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id BB0C9F004
        for <selinux-refpolicy@vger.kernel.org>; Fri, 18 Feb 2022 01:45:42 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1645109143;
        bh=nWggKTZE9Z4HpEQQcWfXffw0sy5aNX/1WC184FB1tMY=; l=2432;
        h=Date:From:To:Subject:From;
        b=XgeNIotdaBRl7NNd1xx2bExZoq0e67XFaTRCk4QWftUHYslM3PvOUQbbaXrlzSwNF
         xM7JmpLDkJbUuWVe1sj5MJjyOMGHPPZMD7X/aQizuwGBtXb5MsGX1ynUF6cRG6sWUI
         Xf/yNROov5I//1Oh7TeJUWC9Q3MsiNPSeIMEQmLU=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 486B41734EFC; Fri, 18 Feb 2022 01:45:38 +1100 (AEDT)
Date:   Fri, 18 Feb 2022 01:45:38 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] puppet V3
Message-ID: <Yg5fkjvMmT/aQA4K@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Removed the entrypoint stuff that was controversial, the rest should be fine.

I think it's ready to merge.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220106/policy/modules/admin/puppet.fc
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.fc
+++ refpolicy-2.20220106/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)
Index: refpolicy-2.20220106/policy/modules/admin/puppet.te
===================================================================
--- refpolicy-2.20220106.orig/policy/modules/admin/puppet.te
+++ refpolicy-2.20220106/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 can_exec(puppet_t, puppet_var_lib_t)
 
+manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+
 setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
@@ -182,8 +189,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	files_rw_var_files(puppet_t)
-
 	rpm_domtrans(puppet_t)
 	rpm_manage_db(puppet_t)
 	rpm_manage_log(puppet_t)
@@ -267,6 +272,7 @@ allow puppetmaster_t puppet_etc_t:lnk_fi
 allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })