SELinux with passenger/puppet

I've tried to install passenger to serve the puppetmaster's application on my network.

The installation was easy but running httpd with SElinux was pretty hard, I've found a solution, creating an SEmodule on this website.

I've completed it with an additional rule allowing sock_file write... result down there (file puppet_passenger.te) :

module puppet_passenger 1.10;
 
require {
    type bin_t;
    type devpts_t;
    type httpd_t;
    type passenger_t;
    type passenger_tmp_t;
    type puppet_log_t;
    type puppet_var_lib_t;
    type port_t;
    type proc_net_t;
    type rpm_var_lib_t;
 
    class process { getattr siginh setexec sigchld noatsecure transition rlimitinh };
    class unix_stream_socket { getattr accept read write };
    class capability { sys_resource sys_ptrace };
    class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink };
    class lnk_file { getattr read };
    class udp_socket name_bind;
    class sock_file write;
    class dir { create getattr setattr add_name remove_name search open read write ioctl lock rmdir };
}
 
#============= httpd_t ==============
allow httpd_t passenger_tmp_t:sock_file write;
allow httpd_t port_t:udp_socket name_bind;
 
allow httpd_t proc_net_t:file { read getattr open };
 
allow httpd_t rpm_var_lib_t:dir { search getattr };
allow httpd_t rpm_var_lib_t:file open;
 
allow httpd_t bin_t:file entrypoint;
 
allow httpd_t passenger_t:process sigchld;
allow httpd_t passenger_t:unix_stream_socket { getattr accept read write };
 
puppet_manage_lib(httpd_t)
puppet_search_log(httpd_t)
puppet_search_pid(httpd_t)
allow httpd_t puppet_log_t:dir { setattr };
allow httpd_t puppet_log_t:file { setattr };
allow httpd_t puppet_var_lib_t:dir { create rmdir };
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto };
 
#============= passenger_t ==============
allow passenger_t devpts_t:dir search;
allow passenger_t httpd_t:process { siginh rlimitinh transition noatsecure };
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t self:process setexec;
 
ps_process_pattern(passenger_t, httpd_t)
domain_read_all_domains_state(passenger_t)

And to compile it :

make -f /usr/share/selinux/devel/Makefile