From: dwalsh@redhat.com (Daniel J Walsh)
Date: Thu, 27 Aug 2009 09:16:03 -0400
Subject: [refpolicy] puppet.patch
In-Reply-To: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com>
References: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com>
Message-ID: <4A968713.7020104@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/26/2009 07:45 PM, Grube, Craig wrote:
> 
> The attached patch contains policy for Puppet, a configuration management tool.  It contains two new services, for the client and server components of Puppet, and adds a new network port type for Puppet's use.
> 
> If any changes are desired please let me know and I will provide updated patches as my schedule permits.
> 
> Craig
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
What is your security goals for puppet?  Are you going to allow it to write to anywhere on the system?  Seems that a configuration system like puppet needs to have full access unless a user can specify his security goals.