[refpolicy] new service_puppet.patch
Craig.Grube at cobham.com
Fri Oct 30 09:40:55 CDT 2009
On Oct 30, 2009, at 8:31 AM, Craig Grube wrote:
> On Oct 27, 2009, at 9:18 AM, Christopher J. PeBenito wrote:
>> On Tue, 2009-10-27 at 08:45 -0400, Craig Grube wrote:
>>> + rpm_domtrans(puppetmaster_t)
>>> + rpm_read_db(puppetmaster_t)
>> What is the puppetmaster doing with rpm?
> This doesn't appear to be necessary for newer versions of puppet.
> The version
> I was using when I first started working on the policy used rpm to
> list installed
This was a little premature. After letting puppetmaster run a bit
longer I was able
to get rpm related AVCs to pop up. I don't know why it didn't appear
sooner as I removed
the optional_policy block from my policy a couple of days ago. I
think using rpm_exec
and rpm_read_db should give puppetmaster what wants without letting it
into the rpm domain.
craig.grube at cobham.com
More information about the refpolicy