[refpolicy] puppet.patch

Christopher J. PeBenito cpebenito at tresys.com
Thu Aug 27 09:03:19 CDT 2009


On Thu, 2009-08-27 at 09:16 -0400, Daniel J Walsh wrote:
> On 08/26/2009 07:45 PM, Grube, Craig wrote:
> > 
> > The attached patch contains policy for Puppet, a configuration
> > management tool.  It contains two new services, for the client and
> > server components of Puppet, and adds a new network port type for
> > Puppet's use.
> > 
> > If any changes are desired please let me know and I will provide
> > updated patches as my schedule permits.
> 
> What is your security goals for puppet?  Are you going to allow it to
> write to anywhere on the system?  Seems that a configuration system
> like puppet needs to have full access unless a user can specify his
> security goals.

I don't agree with full access being needed.  Its a configuration
management system, so it seems that a reasonable starting policy would
be able to manage files in /etc, in addition to doing things like run
useradd, semanage, mount, ifconfig, etc.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list