Christopher J. PeBenito
cpebenito at tresys.com
Thu Aug 27 09:03:19 CDT 2009
On Thu, 2009-08-27 at 09:16 -0400, Daniel J Walsh wrote:
> On 08/26/2009 07:45 PM, Grube, Craig wrote:
> > The attached patch contains policy for Puppet, a configuration
> > management tool. It contains two new services, for the client and
> > server components of Puppet, and adds a new network port type for
> > Puppet's use.
> > If any changes are desired please let me know and I will provide
> > updated patches as my schedule permits.
> What is your security goals for puppet? Are you going to allow it to
> write to anywhere on the system? Seems that a configuration system
> like puppet needs to have full access unless a user can specify his
> security goals.
I don't agree with full access being needed. Its a configuration
management system, so it seems that a reasonable starting policy would
be able to manage files in /etc, in addition to doing things like run
useradd, semanage, mount, ifconfig, etc.
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy