1 ## <summary>Puppet client daemon</summary>
4 ## Puppet is a configuration management system written in Ruby.
5 ## The client daemon is responsible for periodically requesting the
6 ## desired system state from the server and ensuring the state of
7 ## the client system matches.
11 ########################################
13 ## Execute puppetca in the puppetca
16 ## <param name="domain">
18 ## Domain allowed to transition.
22 interface(`puppet_domtrans_puppetca',`
24 type puppetca_t, puppetca_exec_t;
27 corecmd_search_bin($1)
28 domtrans_pattern($1, puppetca_exec_t, puppetca_t)
31 #####################################
33 ## Execute puppetca in the puppetca
34 ## domain and allow the specified
35 ## role the puppetca domain.
37 ## <param name="domain">
39 ## Domain allowed to transition.
42 ## <param name="role">
44 ## Role allowed access.
49 interface(`puppet_run_puppetca',`
51 type puppetca_t, puppetca_exec_t;
54 puppet_domtrans_puppetca($1)
55 role $2 types puppetca_t;
58 ################################################
60 ## Read / Write to Puppet temp files. Puppet uses
61 ## some system binaries (groupadd, etc) that run in
62 ## a non-puppet domain and redirects output into temp
65 ## <param name="domain">
67 ## Domain allowed access.
71 interface(`puppet_rw_tmp',`
76 allow $1 puppet_tmp_t:file rw_inherited_file_perms;
80 ################################################
82 ## Read Puppet lib files.
84 ## <param name="domain">
86 ## Domain allowed access.
90 interface(`puppet_read_lib',`
92 type puppet_var_lib_t;
95 read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
96 files_search_var_lib($1)
99 ###############################################
101 ## Manage Puppet lib files.
103 ## <param name="domain">
105 ## Domain allowed access.
109 interface(`puppet_manage_lib',`
111 type puppet_var_lib_t;
114 manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
115 files_search_var_lib($1)
118 ######################################
120 ## Allow the specified domain to search puppet's log files.
122 ## <param name="domain">
124 ## Domain allowed access.
128 interface(`puppet_search_log',`
133 logging_search_logs($1)
134 allow $1 puppet_log_t:dir search_dir_perms;
137 #####################################
139 ## Allow the specified domain to search puppet's pid files.
141 ## <param name="domain">
143 ## Domain allowed access.
147 interface(`puppet_search_pid',`
149 type puppet_var_run_t;
152 files_search_pids($1)
153 allow $1 puppet_var_run_t:dir search_dir_perms;