= Puppet Tweaks =

== selinux httpd module ==

Using puppet server with passenger will require some selinux hacks since puppet will effectively be running as apache.

Here is what we have so far...
{{{
policy_module(httpd-puppet,1.0.0)

require {
	type httpd_t;
	type puppet_var_lib_t;
	type puppet_var_run_t;
	type puppet_log_t;
	type puppet_port_t;
	type lib_t;
	type httpd_tmp_t;
	type port_t;
}

allow httpd_t puppet_var_lib_t:dir rw_dir_perms;
allow httpd_t puppet_var_lib_t:file manage_file_perms;
allow httpd_t puppet_var_run_t:dir {search getattr};
allow httpd_t puppet_log_t:dir rw_dir_perms;
allow httpd_t puppet_log_t:file rw_file_perms;
allow httpd_t puppet_log_t:file create_file_perms;
allow httpd_t puppet_log_t:file setattr;
allow httpd_t puppet_port_t:tcp_socket name_bind;
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t httpd_tmp_t:sock_file rw_sock_file_perms;
allow httpd_t httpd_tmp_t:sock_file {create unlink setattr};
allow httpd_t self:capability { fowner fsetid sys_ptrace };
allow httpd_t port_t:udp_socket name_bind;
}}}