[refpolicy] Contribute cfengine policy from Fedora to refpolicy
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 9 14:33:10 CST 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2012 03:26 PM, Sven Vermeulen wrote:
> On Fri, Jan 06, 2012 at 12:23:05PM -0500, Daniel J Walsh wrote:
>> Please Review, and ack.
> [...]
>
> Are you certain this one works? As far as I know, cfengine has a
> similar functionality to puppet, and the puppet policy has many
> more privileges. I also don't see any interfaces that can be used
> by administrators to interact with the cfengine components.
>
> The cfengine reference manual also contains quite a few components
> that I don't see mentioned. Although some of them probably run
> pretty well in the caller domain (and as long as they're labeled
> bin_t that's okay) but I'm not sure that they don't need particular
> privileges in /var/cfengine(/.*)?
>
> I'll see if I can stage a small VM to play with this a bit - just
> looks a bit strange to me.
>
> Wkr, Sven Vermeulen
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
No I am not sure that this one works. I know it is in our policy and
looks pretty comprehensive, not sure who wrote it. I would figure
most of this needs to be unconfined like the puppet policy. But It
seems like a good start to the policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8LTwYACgkQrlYvE4MpobPK+wCgltKO4InNq6KnKU9HJB+siDHN
gOUAnjJ/wIuHyfN9JXgIqnbsPxIExZup
=alg6
-----END PGP SIGNATURE-----
More information about the refpolicy
mailing list