From 4d38011fb1950f0fb0931b0b3b4600c914a82e99 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Thu, 5 Jun 2014 16:41:43 +0200
Subject: [PATCH] SELinux module.

---
 puppet_passenger.te | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 puppet_passenger.te

diff --git a/puppet_passenger.te b/puppet_passenger.te
new file mode 100644
index 0000000..7676bd5
--- /dev/null
+++ b/puppet_passenger.te
@@ -0,0 +1,37 @@
+# https://bugzilla.redhat.com/show_bug.cgi?id=1051461
+module puppet_passenger 1.0;
+
+require {
+        type user_tmp_t;
+        type locale_t;
+        type passenger_t;
+        type ifconfig_exec_t;
+        type passenger_tmp_t;
+        type sysfs_t;
+        type postfix_pickup_t;
+        type puppet_var_lib_t;
+        type sysctl_net_t;
+        type httpd_t;
+        type proc_net_t;
+        class sock_file write;
+        class tcp_socket listen;
+        class dir { search create rmdir };
+        class file { relabelfrom getattr read relabelto open execute execute_no_trans };
+}
+
+#============= httpd_t ==============
+allow httpd_t passenger_tmp_t:sock_file write;
+
+#============= passenger_t ==============
+allow passenger_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow passenger_t locale_t:file getattr;
+allow passenger_t proc_net_t:file { read getattr open };
+allow passenger_t puppet_var_lib_t:dir { create rmdir };
+allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };
+
+#!!!! This avc can be allowed using the boolean 'allow_ypbind'
+allow passenger_t self:tcp_socket listen;
+allow passenger_t sysctl_net_t:dir search;
+allow passenger_t sysfs_t:dir search;
+allow passenger_t sysfs_t:file { read open };
+allow passenger_t user_tmp_t:file { read getattr open };
-- 
1.8.2.3