From: dominick.grift@gmail.com (grift)
Date: Tue, 01 Jan 2013 11:47:56 +0100
Subject: [refpolicy] [PATCH 07/12] Puppet module helper scripts are
 puppet_var_lib_t
In-Reply-To: <1356994351-29191-8-git-send-email-sven.vermeulen@siphos.be>
References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be>
	<1356994351-29191-8-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1357037276.2088.16.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
> these files. Another method would be to have the scripts marked bin_t, but as
> these paths are depending on module names this does not seem feasible.
> 
This was merged, thanks

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  puppet.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/puppet.te b/puppet.te
> index 5a256e3..f627825 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
>  
>  manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
>  manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> +can_exec(puppet_t, puppet_var_lib_t)
>  
>  setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
>  manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)