From: thomas@chaschperli.ch (Thomas Mueller)
Date: Mon, 13 Jun 2016 22:50:44 +0200
Subject: [refpolicy] [PATCH 1/1] Allow puppet_t transtition to shorewall_t
Message-ID: <1465851044-23172-1-git-send-email-thomas@chaschperli.ch>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

If puppet executes /sbin/shorewall it won't transition to
shorewall_t and create log files with puppet_log_t context
instead of shorewall_log_t. If service is then managed by
init (sysv/systemd) it will fail to start.

If puppet_t is allowed to transtition to shorewall_t the
logfile will get the correct shorewall_log_t type.

Also posted on github: 
https://github.com/TresysTechnology/refpolicy-contrib/pull/22

---
 puppet.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/puppet.te b/puppet.te
index 585f4ed..77171f6 100644
--- a/puppet.te
+++ b/puppet.te
@@ -200,6 +200,10 @@ optional_policy(`
 	usermanage_domtrans_useradd(puppet_t)
 ')
 
+optional_policy(`
+        shorewall_domtrans(puppet_t)
+')
+
 ########################################
 #
 # Ca local policy
-- 
2.5.5