| | 2 | |
| | 3 | == selinux httpd module == |
| | 4 | |
| | 5 | Using puppet server with passenger will require some selinux hacks since puppet will effectively be running as apache. |
| | 6 | |
| | 7 | Here is what we have so far... |
| | 8 | {{{ |
| | 9 | policy_module(httpd-puppet,1.0.0) |
| | 10 | |
| | 11 | require { |
| | 12 | type httpd_t; |
| | 13 | type puppet_var_lib_t; |
| | 14 | type puppet_var_run_t; |
| | 15 | type puppet_log_t; |
| | 16 | type puppet_port_t; |
| | 17 | type lib_t; |
| | 18 | type httpd_tmp_t; |
| | 19 | type port_t; |
| | 20 | } |
| | 21 | |
| | 22 | allow httpd_t puppet_var_lib_t:dir rw_dir_perms; |
| | 23 | allow httpd_t puppet_var_lib_t:file manage_file_perms; |
| | 24 | allow httpd_t puppet_var_run_t:dir {search getattr}; |
| | 25 | allow httpd_t puppet_log_t:dir rw_dir_perms; |
| | 26 | allow httpd_t puppet_log_t:file rw_file_perms; |
| | 27 | allow httpd_t puppet_log_t:file create_file_perms; |
| | 28 | allow httpd_t puppet_log_t:file setattr; |
| | 29 | allow httpd_t puppet_port_t:tcp_socket name_bind; |
| | 30 | allow httpd_t lib_t:file execute_no_trans; |
| | 31 | allow httpd_t httpd_tmp_t:sock_file rw_sock_file_perms; |
| | 32 | allow httpd_t httpd_tmp_t:sock_file {create unlink setattr}; |
| | 33 | allow httpd_t self:capability { fowner fsetid sys_ptrace }; |
| | 34 | allow httpd_t port_t:udp_socket name_bind; |
| | 35 | }}} |
