On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: > #============= puppet_t ============== > allow puppet_t initrc_notrans_exec_t:file execute; > allow puppet_t self:capability dac_read_search;
These two I find a bit strange. When do you encounter the need for initrc_notrans_exec_t execute rights? I guess you're running rc-status or rc-update at that point? I can have it work using a puppet_t -> puppet_initrc_notrans_t -> puppet_t transition set (like we do for sysadm_t) but this is not something you can do with audit2allow, so if the above was sufficient to make things work... Also, the dac_read_search capability is something that allows a root user to read/search files, even if the owner of those files isn't root. In regular DAC, this is "normal" (root can do everything) but not always necessary. If you do not allow this, what happens then? My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you want to test things out, you can subscribe to the overlay or put the necessary files in your own. [1] https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6285189a1d9fa27/sec-policy/selinux-puppet Wkr, Sven Vermeulen
