From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 27 Aug 2009 10:03:19 -0400
Subject: [refpolicy] puppet.patch
In-Reply-To: <4A968713.7020104@redhat.com>
References: <5ABE30CE099A524CBF95C715D37BCACC020A0190@nemo.columbia.ads.sparta.com>
	<4A968713.7020104@redhat.com>
Message-ID: <1251381799.8357.52.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-08-27 at 09:16 -0400, Daniel J Walsh wrote:
> On 08/26/2009 07:45 PM, Grube, Craig wrote:
> > 
> > The attached patch contains policy for Puppet, a configuration
> > management tool.  It contains two new services, for the client and
> > server components of Puppet, and adds a new network port type for
> > Puppet's use.
> > 
> > If any changes are desired please let me know and I will provide
> > updated patches as my schedule permits.
> 
> What is your security goals for puppet?  Are you going to allow it to
> write to anywhere on the system?  Seems that a configuration system
> like puppet needs to have full access unless a user can specify his
> security goals.

I don't agree with full access being needed.  Its a configuration
management system, so it seems that a reasonable starting policy would
be able to manage files in /etc, in addition to doing things like run
useradd, semanage, mount, ifconfig, etc.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150