From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 31 Dec 2012 23:52:26 +0100
Subject: [refpolicy] [PATCH 07/12] Puppet module helper scripts are
	puppet_var_lib_t
In-Reply-To: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be>
References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1356994351-29191-8-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
these files. Another method would be to have the scripts marked bin_t, but as
these paths are depending on module names this does not seem feasible.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 puppet.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/puppet.te b/puppet.te
index 5a256e3..f627825 100644
--- a/puppet.te
+++ b/puppet.te
@@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+can_exec(puppet_t, puppet_var_lib_t)
 
 setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
-- 
1.7.8.6