1 |
First, puppet and puppetmaster are both in /usr/bin not /usr/sbin anymore |
2 |
|
3 |
And here is what I needed to add to the policy. |
4 |
|
5 |
module puppetlocal 1.0; |
6 |
|
7 |
require { |
8 |
type sendmail_exec_t; |
9 |
type puppet_t; |
10 |
type proc_net_t; |
11 |
type mount_exec_t; |
12 |
type portage_exec_t; |
13 |
type passwd_exec_t; |
14 |
type initrc_notrans_exec_t; |
15 |
class capability dac_read_search; |
16 |
class dir search; |
17 |
class file { execute read open getattr execute_no_trans }; |
18 |
} |
19 |
|
20 |
#============= puppet_t ============== |
21 |
allow puppet_t initrc_notrans_exec_t:file execute; |
22 |
allow puppet_t mount_exec_t:file { execute execute_no_trans }; |
23 |
allow puppet_t passwd_exec_t:file execute; |
24 |
allow puppet_t portage_exec_t:file execute; |
25 |
allow puppet_t proc_net_t:dir search; |
26 |
allow puppet_t proc_net_t:file { read getattr open }; |
27 |
allow puppet_t self:capability dac_read_search; |
28 |
allow puppet_t sendmail_exec_t:file execute; |
29 |
|
30 |
|
31 |
-- Matthew Thode |