= Puppet Tweaks =

== selinux httpd module ==

Using puppet server with passenger will require some selinux hacks since puppet will effectively be running as apache.

Here is what we have so far...
{{{
policy_module(httpd-puppet,1.0.0)

require {
	type httpd_t;
	type puppet_var_lib_t;
	type puppet_var_run_t;
	type puppet_log_t;
	type puppet_port_t;
	type lib_t;
	type httpd_tmp_t;
	type port_t;
}

allow httpd_t puppet_var_lib_t:dir rw_dir_perms;
allow httpd_t puppet_var_lib_t:file manage_file_perms;
allow httpd_t puppet_var_run_t:dir {search getattr};
allow httpd_t puppet_log_t:dir rw_dir_perms;
allow httpd_t puppet_log_t:file rw_file_perms;
allow httpd_t puppet_log_t:file create_file_perms;
allow httpd_t puppet_log_t:file setattr;
allow httpd_t puppet_port_t:tcp_socket name_bind;
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t httpd_tmp_t:sock_file rw_sock_file_perms;
allow httpd_t httpd_tmp_t:sock_file {create unlink setattr};
allow httpd_t self:capability { fowner fsetid sys_ptrace };
allow httpd_t port_t:udp_socket name_bind;
}}}

Install selinux-policy to get /usr/share/selinux/devel directory, make a file in that directory called httpd-puppet.te

Then make the module
{{{
[root@server devel]# make httpd-puppet.pp
Compiling targeted httpd-puppet module
/usr/bin/checkmodule:  loading policy configuration from tmp/httpd-puppet.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/httpd-puppet.mod
Creating targeted httpd-puppet.pp policy package
rm tmp/httpd-puppet.mod tmp/httpd-puppet.mod.fc
[root@server devel]# 
}}}