[refpolicy] new service_puppet.patch

Craig Grube Craig.Grube at cobham.com
Fri Oct 30 09:40:55 CDT 2009

On Oct 30, 2009, at 8:31 AM, Craig Grube wrote:
> On Oct 27, 2009, at 9:18 AM, Christopher J. PeBenito wrote:
>> On Tue, 2009-10-27 at 08:45 -0400, Craig Grube wrote:
>>> +optional_policy(`
>>> +       rpm_domtrans(puppetmaster_t)
>>> +       rpm_read_db(puppetmaster_t)
>>> +')
>> What is the puppetmaster doing with rpm?
> This doesn't appear to be necessary for newer versions of puppet.   
> The version
> I was using when I first started working on the policy used rpm to  
> list installed
> packages.

This was a little premature.  After letting puppetmaster run a bit  
longer I was able
to get rpm related AVCs to pop up.  I don't know why it didn't appear  
sooner as I removed
the optional_policy block from my policy a couple of days ago.  I  
think using rpm_exec
and rpm_read_db should give puppetmaster what wants without letting it  
into the rpm domain.

Craig Grube
craig.grube at cobham.com

More information about the refpolicy mailing list