From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 17 Aug 2011 03:39:53 +0000 Subject: [refpolicy] Calling typeattribute within a tunable_policy() is not allowed? In-Reply-To: <4E4AC45D.1070300@tresys.com> References: <20110813210636.GA2679@siphos.be> <4E4AC45D.1070300@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Aug 16, 2011 at 7:26 PM, Christopher J. PeBenito wrote: [... Allow puppet to relabel all files, which includes binary policy files ...] > Why would puppet need this access anyway? ?The binary policy should be managed by semanage. True. As a matter of fact, I currently enclosed files_relabel_all_files' contents without the seutil_ thingie. We have a user that uses puppet extensively and he noticed that puppet (which is SELinux-aware) is able to relabel files properly when they are created or manipulated on the system. The current policy supports that only for configuration file types, but for his installation that isn't sufficient. It now has relabel privileges for "file_type -policy_config_t -security_file_type".