policy_module(custom-puppet, 1.0)

gen_require(`
  type puppet_t;
  type puppet_log_t;
  type var_log_t;
  type tmpfiles_t;
')

# allow checkpath to create puppet log directory
allow tmpfiles_t self:capability { dac_override dac_read_search };
manage_dirs_pattern(tmpfiles_t, var_log_t, puppet_log_t)

# puppet wants to read dac...
allow puppet_t self:capability dac_read_search;
# and set its gid
allow puppet_t self:process setpgid;

# allow openrc to transit to puppet_t
seutil_domtrans_runinit(puppet_t)