From: Craig.Grube@cobham.com (Craig Grube)
Date: Fri, 30 Oct 2009 10:40:55 -0400
Subject: [refpolicy] new service_puppet.patch
In-Reply-To: <ED8869E2-CF29-404F-B6FA-8F19FC4B0BED@cobham.com>
References: <776FA2A8-8A8B-4F20-8C1C-BD59111C31E7@cobham.com>
	<BD191D4C-D269-4149-9CFF-10D1B3B9C5D6@cobham.com>
	<1256649536.6392.34.camel@gorn.columbia.tresys.com>
	<ED8869E2-CF29-404F-B6FA-8F19FC4B0BED@cobham.com>
Message-ID: <6975EBA2-1493-4AD2-9EBB-AB8833ED03D5@cobham.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


On Oct 30, 2009, at 8:31 AM, Craig Grube wrote:
> On Oct 27, 2009, at 9:18 AM, Christopher J. PeBenito wrote:
>> On Tue, 2009-10-27 at 08:45 -0400, Craig Grube wrote:
>>> +optional_policy(`
>>> +       rpm_domtrans(puppetmaster_t)
>>> +       rpm_read_db(puppetmaster_t)
>>> +')
>>
>> What is the puppetmaster doing with rpm?
>
> This doesn't appear to be necessary for newer versions of puppet.   
> The version
> I was using when I first started working on the policy used rpm to  
> list installed
> packages.


This was a little premature.  After letting puppetmaster run a bit  
longer I was able
to get rpm related AVCs to pop up.  I don't know why it didn't appear  
sooner as I removed
the optional_policy block from my policy a couple of days ago.  I  
think using rpm_exec
and rpm_read_db should give puppetmaster what wants without letting it  
transition
into the rpm domain.

--
Craig Grube
craig.grube at cobham.com