Daniel J Walsh
dwalsh at redhat.com
Thu Aug 27 09:54:56 CDT 2009
On 08/27/2009 10:03 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-08-27 at 09:16 -0400, Daniel J Walsh wrote:
>> On 08/26/2009 07:45 PM, Grube, Craig wrote:
>>> The attached patch contains policy for Puppet, a configuration
>>> management tool. It contains two new services, for the client and
>>> server components of Puppet, and adds a new network port type for
>>> Puppet's use.
>>> If any changes are desired please let me know and I will provide
>>> updated patches as my schedule permits.
>> What is your security goals for puppet? Are you going to allow it to
>> write to anywhere on the system? Seems that a configuration system
>> like puppet needs to have full access unless a user can specify his
>> security goals.
> I don't agree with full access being needed. Its a configuration
> management system, so it seems that a reasonable starting policy would
> be able to manage files in /etc, in addition to doing things like run
> useradd, semanage, mount, ifconfig, etc.
Also needs to be able to install rpm, but I have seen puppet used to move files all over the place, such as apache content.
I am not sure you are getting a great increase in security if I have all of these capabilities.
I guess we could write policy that defaults puppet to unconfined_t and then have people choose to run a tighter policy around what puppet is actually doing on their machine.
More information about the refpolicy