SELinux module.

diff --git a/puppet_passenger.te b/puppet_passenger.te
new file mode 100644 (file)
index 0000000..7676bd5
--- /dev/null
+++ b/puppet_passenger.te
@@ -0,0 +1,37 @@
+# https://bugzilla.redhat.com/show_bug.cgi?id=1051461
+module puppet_passenger 1.0;
+
+require {
+        type user_tmp_t;
+        type locale_t;
+        type passenger_t;
+        type ifconfig_exec_t;
+        type passenger_tmp_t;
+        type sysfs_t;
+        type postfix_pickup_t;
+        type puppet_var_lib_t;
+        type sysctl_net_t;
+        type httpd_t;
+        type proc_net_t;
+        class sock_file write;
+        class tcp_socket listen;
+        class dir { search create rmdir };
+        class file { relabelfrom getattr read relabelto open execute execute_no_trans };
+}
+
+#============= httpd_t ==============
+allow httpd_t passenger_tmp_t:sock_file write;
+
+#============= passenger_t ==============
+allow passenger_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow passenger_t locale_t:file getattr;
+allow passenger_t proc_net_t:file { read getattr open };
+allow passenger_t puppet_var_lib_t:dir { create rmdir };
+allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };
+
+#!!!! This avc can be allowed using the boolean 'allow_ypbind'
+allow passenger_t self:tcp_socket listen;
+allow passenger_t sysctl_net_t:dir search;
+allow passenger_t sysfs_t:dir search;
+allow passenger_t sysfs_t:file { read open };
+allow passenger_t user_tmp_t:file { read getattr open };