pulp · werwty · Jan 30, 2018 · Jan 29, 2018
diff --git a/server/selinux/server/pulp-celery.te b/server/selinux/server/pulp-celery.te
@@ -30,7 +30,7 @@ require {
         type sysfs_t;
         class sock_file { create link unlink write };
         class unix_stream_socket connectto;
-        class dir { getattr search read write remove_name create add_name rmdir relabelto relabelfrom };
+        class dir { add_name create getattr open read relabelfrom relabelto remove_name rename reparent rmdir search setattr write };
         class file { lock rename write setattr getattr read create link unlink open relabelto relabelfrom map };
         class filesystem getattr;
         class process { setsched signal signull execmem };
@@ -202,9 +202,12 @@ optional_policy(`
     tunable_policy(`pulp_manage_puppet', `
         # Puppet modules can contain symlinks, though it seems they often do not. This line allows
         # Pulp to install the symlinks if they are present.
+        allow celery_t puppet_etc_t:dir { add_name create getattr open read remove_name rename reparent rmdir search setattr write};
+        allow celery_t puppet_etc_t:file { create getattr open setattr write };
         allow celery_t puppet_etc_t:lnk_file { create read getattr unlink };
         manage_dirs_pattern(celery_t, puppet_etc_t, puppet_etc_t)
         manage_files_pattern(celery_t, puppet_etc_t, puppet_etc_t)
+        puppet_read_config(celery_t)
     ')
 ')
 

diff --git a/server/selinux/server/pulp-server.te b/server/selinux/server/pulp-server.te
@@ -4,7 +4,10 @@ policy_module(pulp-server, 0.0.0)
 type pulp_cert_t;
 
 require {
+    type puppet_etc_t;
     type httpd_t;
+    class dir { read remove_name rmdir write };
+    class file { getattr unlink };
 }
 
 ##### Certificates #####
@@ -22,3 +25,17 @@ read_lnk_files_pattern(httpd_t, pulp_cert_t, pulp_cert_t)
 ## Allow httpd_t to make connections to amqp and mongod ports
 corenet_tcp_connect_amqp_port(httpd_t)
 corenet_tcp_connect_mongod_port(httpd_t)
+
+
+######################################
+#
+# Add some policies under the pulp_manage_puppet selinux boolean to allow httpd access
+# to manage files, directory, and symlinks under the puppet_etc_t label
+#
+
+optional_policy(`
+    tunable_policy(`pulp_manage_puppet', `
+        allow httpd_t puppet_etc_t:dir { read remove_name rmdir write };
+        allow httpd_t puppet_etc_t:file { getattr unlink };
+    ')
+')