## <summary>Puppet client daemon</summary>

## <desc>

##	

##	Puppet is a configuration management system written in Ruby.

##	The client daemon is responsible for periodically requesting the

##	desired system state from the server and ensuring the state of

##	the client system matches.

##	

## </desc>

########################################

## <summary>

##	Execute puppetca in the puppetca

##	domain.

## </summary>

## <param name="domain">

## <summary>

##	Domain allowed to transition.

## </summary>

## </param>

#

interface(`puppet_domtrans_puppetca',`

	gen_require(`

		type puppetca_t, puppetca_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, puppetca_exec_t, puppetca_t)

')

#####################################

## <summary>

##	Execute puppetca in the puppetca

##	domain and allow the specified

##	role the puppetca domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`puppet_run_puppetca',`

	gen_require(`

		type puppetca_t, puppetca_exec_t;

	')

	puppet_domtrans_puppetca($1)

	role $2 types puppetca_t;

')

################################################

## <summary>

##	Read / Write to Puppet temp files.  Puppet uses

##	some system binaries (groupadd, etc) that run in

##	a non-puppet domain and redirects output into temp

##	files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`puppet_rw_tmp', `

	gen_require(`

		type puppet_tmp_t;

	')

	allow $1 puppet_tmp_t:file rw_inherited_file_perms;

	files_search_tmp($1)

')

################################################

## <summary>

##	Read Puppet lib files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`puppet_read_lib',`

	gen_require(`

		type puppet_var_lib_t;

	')

	read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)

	files_search_var_lib($1)

')

###############################################

## <summary>

##  Manage Puppet lib files.

## </summary>

## <param name="domain">

##  <summary>

##  Domain allowed access.

##  </summary>

## </param>

#

interface(`puppet_manage_lib',`

    gen_require(`

        type puppet_var_lib_t;

    ')

    manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)

    files_search_var_lib($1)

')

######################################

## <summary>

##  Allow the specified domain to search puppet's log files.

## </summary>

## <param name="domain">

##  <summary>

##  Domain allowed access.

##  </summary>

## </param>

#

interface(`puppet_search_log',`

    gen_require(`

        type puppet_log_t;

    ')

    logging_search_logs($1)

    allow $1 puppet_log_t:dir search_dir_perms;

')

#####################################

## <summary>

##  Allow the specified domain to read puppet's log files.

## </summary>

## <param name="domain">

##  <summary>

##  Domain allowed access.

##  </summary>

## </param>

#

interface(`puppet_read_log',`

    gen_require(`

        type puppet_log_t;

    ')

    logging_search_logs($1)

	read_files_pattern($1, puppet_log_t, puppet_log_t)

')

####################################

## <summary>

##  Allow the specified domain to read puppet's config files.

## </summary>

## <param name="domain">

##  <summary>

##  Domain allowed access.

##  </summary>

## </param>

#

interface(`puppet_read_config',`

    gen_require(`

        type puppet_etc_t;

    ')

    logging_search_logs($1)

	list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)

    read_files_pattern($1, puppet_etc_t, puppet_etc_t)

')

#####################################

## <summary>

##  Allow the specified domain to search puppet's pid files.

## </summary>

## <param name="domain">

##  <summary>

##  Domain allowed access.

##  </summary>

## </param>

#

interface(`puppet_search_pid',`

    gen_require(`

        type puppet_var_run_t;

    ')

	files_search_pids($1)

    allow $1 puppet_var_run_t:dir search_dir_perms;

')