summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2011-07-25 23:14:24 +0000
committerAnthony G. Basile <blueness@gentoo.org>2011-07-25 23:14:24 +0000
commitb6583f39e247602f65a1680a0373c12d415a6810 (patch)
treecc2635f1ac38cb1b073ef9f5062dad967c1135e5 /sec-policy/selinux-puppet
parentFix src_install to use emake DESTDIR="${ED}" for prefix compatibility. (diff)
downloadhistorical-b6583f39e247602f65a1680a0373c12d415a6810.tar.gz
historical-b6583f39e247602f65a1680a0373c12d415a6810.tar.bz2
historical-b6583f39e247602f65a1680a0373c12d415a6810.zip
Extend puppet rights and clean ups
Package-Manager: portage-2.1.10.3/cvs/Linux x86_64
Diffstat (limited to 'sec-policy/selinux-puppet')
-rw-r--r--sec-policy/selinux-puppet/ChangeLog15
-rw-r--r--sec-policy/selinux-puppet/Manifest14
-rw-r--r--sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch89
-rw-r--r--sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch97
-rw-r--r--sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch97
-rw-r--r--sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild18
-rw-r--r--sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild18
-rw-r--r--sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild18
8 files changed, 361 insertions, 5 deletions
diff --git a/sec-policy/selinux-puppet/ChangeLog b/sec-policy/selinux-puppet/ChangeLog
index 120b7a023f6b..f20f80fae00b 100644
--- a/sec-policy/selinux-puppet/ChangeLog
+++ b/sec-policy/selinux-puppet/ChangeLog
@@ -1,6 +1,19 @@
# ChangeLog for sec-policy/selinux-puppet
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.2 2011/06/02 12:49:09 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/ChangeLog,v 1.3 2011/07/25 23:14:24 blueness Exp $
+
+*selinux-puppet-2.20101213-r3 (25 Jul 2011)
+*selinux-puppet-2.20101213-r2 (25 Jul 2011)
+*selinux-puppet-2.20101213-r1 (25 Jul 2011)
+
+ 25 Jul 2011; Anthony G. Basile <blueness@gentoo.org>
+ +files/fix-services-puppet-r1.patch, +files/fix-services-puppet-r2.patch,
+ +files/fix-services-puppet-r3.patch, +selinux-puppet-2.20101213-r1.ebuild,
+ +selinux-puppet-2.20101213-r2.ebuild, +selinux-puppet-2.20101213-r3.ebuild:
+ r3: Allow puppet to call portage domains and ensure that this is supported
+ through the system_r role
+ r2: Revert ugly initrc hack introduced in r1
+ r1: Extend puppet rights
02 Jun 2011; Anthony G. Basile <blueness@gentoo.org>
selinux-puppet-2.20101213.ebuild:
diff --git a/sec-policy/selinux-puppet/Manifest b/sec-policy/selinux-puppet/Manifest
index 7bc0de052b45..3781fc15e603 100644
--- a/sec-policy/selinux-puppet/Manifest
+++ b/sec-policy/selinux-puppet/Manifest
@@ -1,14 +1,20 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
+AUX fix-services-puppet-r1.patch 2614 RMD160 b90588dc3063a4d2fba7c4d9554105b3949e11cc SHA1 a6ec6310291aa3799aa4ed85d120931f11a2e589 SHA256 b41da615dea2d6ba36ee29c430d1c0efa4b8f7aa9b85520de3325960fc050b82
+AUX fix-services-puppet-r2.patch 3014 RMD160 346856c817b40bc384621db2ccbf54ce4c32f3fd SHA1 9bea217405fab18bdff3029c15570f8b723ebf6c SHA256 11c178ba668ca2d5ac71633e12fb7426836ab4ee6f497fac0606c77f8295a977
+AUX fix-services-puppet-r3.patch 3019 RMD160 22c96160762ea7281091ba785210bc26d81c2b2d SHA1 9b8b2b058a510989af9af9c287422b78956567a5 SHA256 9e97c30a5b5f3a1ad63895c4d2880605add723ebe6d3cd7df655e78f535387ab
DIST refpolicy-2.20101213.tar.bz2 559450 RMD160 4858f792f4db5b179de6fb8419a626c29d59bdd3 SHA1 0e881e99b8950a358eadc44633551ca10f12eaee SHA256 b691ee8f6066cc19bb0d4384fe3be277d97d22e9d4ac2db0c252065e8c3535de
+EBUILD selinux-puppet-2.20101213-r1.ebuild 509 RMD160 2168cee100abf3347e085d2db4f17010a1845639 SHA1 3889e47ff2a0daeae8db1f364473d36cc82b7ae1 SHA256 0075f09f461988e582b44efe206a3db18a0dd2d872110c3c7e2efde712f55dae
+EBUILD selinux-puppet-2.20101213-r2.ebuild 509 RMD160 6bb7538e4271e68ca6810ee1e09679b65133b873 SHA1 a2208e7a3c039b610d7fd6a84c4b34d35753b0db SHA256 46cf14f3d320b96a423fea48fd93040c82bb195015036e40c326efed01ce1e4e
+EBUILD selinux-puppet-2.20101213-r3.ebuild 509 RMD160 0a61cbb1b5074808d33d37b4a2f6cae28166d0ab SHA1 3f433078c82d642067b4d32a8faefd3fa061bb0b SHA256 0f5a8f1f39b4a45030f93f81dba82e5d09a21ca073a2c1da39f881c9c3191862
EBUILD selinux-puppet-2.20101213.ebuild 369 RMD160 bda2ab8116ad9ab2516b08160717ecc71c44d2a5 SHA1 28d3f18ebcab794c61093b3e9569501ed81c45f4 SHA256 d5a55366cea179ff1dbbe395e4c451411815ec47735dad00b9a55ac4daa1f02b
-MISC ChangeLog 432 RMD160 dfba4a0a6496231cf7fce10f97414d3540f45717 SHA1 7a307799078c0a987eb250d574d5c89c03b28887 SHA256 1776a23f6c09111c3c970d3094b965bd77c4e2f3a090b792de9592252ce472c5
+MISC ChangeLog 1031 RMD160 1f254caaaba07cf970f285a78aee80bad979e57d SHA1 14b62185792e01b16c5898d4f36459b9051e5485 SHA256 5e3f7dc5e99db8b8a3e73755e398d2851f76ad19aab38b1e933a468db733f45d
MISC metadata.xml 230 RMD160 5d5194ac8c13d1c054b3df43791bb3f5544aec02 SHA1 8653f0a6bb377d4a07ff59d75e1f2694b9867c4b SHA256 29b1c0521994399dc36bdc4fac4b4b7d1169b537602be0486896018c744d96cf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
-iEYEAREIAAYFAk3nhsoACgkQl5yvQNBFVTUN0ACfSmLLZt1IH315JahsauXkkimb
-QPwAniDgmfEGW5j3gFdyWZj+PaZy4Qe6
-=oUeT
+iEYEAREIAAYFAk4t+NkACgkQl5yvQNBFVTXPKACfd9GgX07KkPJnVLmoauoCNHqh
+Sc0An3CEIpv76XTIRCn689p4HLhCZnof
+=/oBW
-----END PGP SIGNATURE-----
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
new file mode 100644
index 000000000000..63056dbe8ded
--- /dev/null
+++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r1.patch
@@ -0,0 +1,89 @@
+--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.te 2011-07-11 22:40:28.700001278 +0200
+@@ -17,6 +17,9 @@
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+
++type puppet_initrc_notrans_t;
++role system_r types puppet_initrc_notrans_t;
++
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+
+@@ -77,7 +80,9 @@
+ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+ kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
++#kernel_dontaudit_search_kernel_sysctl(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
++kernel_read_network_state(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
+
+@@ -115,6 +120,9 @@
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++
++## system modules
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -125,12 +133,26 @@
+ miscfiles_read_hwdata(puppet_t)
+ miscfiles_read_localization(puppet_t)
+
++mount_domtrans(puppet_t)
++
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
+
+ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
++## Other modules
++
++
++usermanage_domtrans_passwd(puppet_t)
++
++tunable_policy(`gentoo_try_dontaudit',`
++ dontaudit puppet_t self:capability dac_read_search;
++ kernel_dontaudit_read_system_state(puppet_initrc_notrans_t)
++ userdom_dontaudit_use_user_terminals(puppet_t)
++')
++
++
+ tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+ ')
+@@ -144,6 +166,16 @@
+ ')
+
+ optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
++ gentoo_init_initrc_notrans(puppet_initrc_notrans_t, puppet_t)
++ portage_domtrans(puppet_t)
++ puppet_rw_tmp(puppet_initrc_notrans_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.fc 2011-07-11 14:06:20.907000356 +0200
+@@ -3,7 +3,9 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch
new file mode 100644
index 000000000000..fb82d35d39b8
--- /dev/null
+++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r2.patch
@@ -0,0 +1,97 @@
+--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.te 2011-07-21 11:15:55.552000371 +0200
+@@ -17,6 +17,9 @@
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+
++#type puppet_initrc_notrans_t;
++#role system_r types puppet_initrc_notrans_t;
++
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+
+@@ -50,7 +53,7 @@
+ # Puppet personal policy
+ #
+
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown };
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -77,7 +80,9 @@
+ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+ kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
++#kernel_dontaudit_search_kernel_sysctl(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
++kernel_read_network_state(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
+
+@@ -115,6 +120,9 @@
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++
++## system modules
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -125,12 +133,26 @@
+ miscfiles_read_hwdata(puppet_t)
+ miscfiles_read_localization(puppet_t)
+
++mount_domtrans(puppet_t)
++
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
+
+ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
++## Other modules
++
++
++usermanage_domtrans_passwd(puppet_t)
++
++tunable_policy(`gentoo_try_dontaudit',`
++ dontaudit puppet_t self:capability dac_read_search;
++ #kernel_dontaudit_read_system_state(puppet_initrc_notrans_t)
++ userdom_dontaudit_use_user_terminals(puppet_t)
++')
++
++
+ tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+ ')
+@@ -144,6 +166,15 @@
+ ')
+
+ optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
++ gentoo_init_rc_exec(puppet_t)
++ portage_domtrans(puppet_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.fc 2011-07-21 10:08:43.240000256 +0200
+@@ -3,7 +3,9 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch b/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch
new file mode 100644
index 000000000000..492cc2755910
--- /dev/null
+++ b/sec-policy/selinux-puppet/files/fix-services-puppet-r3.patch
@@ -0,0 +1,97 @@
+--- services/puppet.te 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.te 2011-07-24 10:34:00.622000087 +0200
+@@ -17,6 +17,9 @@
+ type puppet_exec_t;
+ init_daemon_domain(puppet_t, puppet_exec_t)
+
++#type puppet_initrc_notrans_t;
++#role system_r types puppet_initrc_notrans_t;
++
+ type puppet_etc_t;
+ files_config_file(puppet_etc_t)
+
+@@ -50,7 +53,7 @@
+ # Puppet personal policy
+ #
+
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config chown };
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+@@ -77,7 +80,9 @@
+ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+ kernel_dontaudit_search_sysctl(puppet_t)
+-kernel_dontaudit_search_kernel_sysctl(puppet_t)
++#kernel_dontaudit_search_kernel_sysctl(puppet_t)
++kernel_read_kernel_sysctls(puppet_t)
++kernel_read_network_state(puppet_t)
+ kernel_read_system_state(puppet_t)
+ kernel_read_crypto_sysctls(puppet_t)
+
+@@ -115,6 +120,9 @@
+ term_dontaudit_getattr_unallocated_ttys(puppet_t)
+ term_dontaudit_getattr_all_ttys(puppet_t)
+
++
++## system modules
++
+ init_all_labeled_script_domtrans(puppet_t)
+ init_domtrans_script(puppet_t)
+ init_read_utmp(puppet_t)
+@@ -125,12 +133,26 @@
+ miscfiles_read_hwdata(puppet_t)
+ miscfiles_read_localization(puppet_t)
+
++mount_domtrans(puppet_t)
++
+ seutil_domtrans_setfiles(puppet_t)
+ seutil_domtrans_semanage(puppet_t)
+
+ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+
++## Other modules
++
++
++usermanage_domtrans_passwd(puppet_t)
++
++tunable_policy(`gentoo_try_dontaudit',`
++ dontaudit puppet_t self:capability dac_read_search;
++ #kernel_dontaudit_read_system_state(puppet_initrc_notrans_t)
++ userdom_dontaudit_use_user_terminals(puppet_t)
++')
++
++
+ tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+ ')
+@@ -144,6 +166,15 @@
+ ')
+
+ optional_policy(`
++ mta_send_mail(puppet_t)
++')
++
++optional_policy(`
++ gentoo_init_rc_exec(puppet_t)
++ portage_run(puppet_t, system_r)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+--- services/puppet.fc 2010-08-03 15:11:07.000000000 +0200
++++ services/puppet.fc 2011-07-21 10:08:43.240000256 +0200
+@@ -3,7 +3,9 @@
+ /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
++/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+ /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild
new file mode 100644
index 000000000000..32d8fa6c9674
--- /dev/null
+++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r1.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $
+
+IUSE=""
+
+MODS="puppet"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for general applications"
+
+DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r19"
+RDEPEND="${DEPEND}"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-puppet-r1.patch"
diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild
new file mode 100644
index 000000000000..f96a26b930d6
--- /dev/null
+++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r2.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $
+
+IUSE=""
+
+MODS="puppet"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for general applications"
+
+DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20"
+RDEPEND="${DEPEND}"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-puppet-r2.patch"
diff --git a/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild
new file mode 100644
index 000000000000..670d5d0e3bd9
--- /dev/null
+++ b/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-puppet/selinux-puppet-2.20101213-r3.ebuild,v 1.1 2011/07/25 23:14:24 blueness Exp $
+
+IUSE=""
+
+MODS="puppet"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for general applications"
+
+DEPEND=">=sec-policy/selinux-base-policy-2.20101213-r20"
+RDEPEND="${DEPEND}"
+
+KEYWORDS="~amd64 ~x86"
+
+POLICY_PATCH="${FILESDIR}/fix-services-puppet-r3.patch"