From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 9 Jan 2012 21:26:50 +0100
Subject: [refpolicy] Contribute cfengine policy from Fedora to refpolicy
In-Reply-To: <4F072DF9.2050806@redhat.com>
References: <4F072DF9.2050806@redhat.com>
Message-ID: <20120109202650.GC3416@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Jan 06, 2012 at 12:23:05PM -0500, Daniel J Walsh wrote:
> Please Review, and ack.
[...]

Are you certain this one works? As far as I know, cfengine has a similar
functionality to puppet, and the puppet policy has many more privileges. I
also don't see any interfaces that can be used by administrators to interact
with the cfengine components. 

The cfengine reference manual also contains quite a few components that I
don't see mentioned. Although some of them probably run pretty well in the
caller domain (and as long as they're labeled bin_t that's okay) but I'm not
sure that they don't need particular privileges in /var/cfengine(/.*)?

I'll see if I can stage a small VM to play with this a bit - just looks a
bit strange to me.

Wkr,
	Sven Vermeulen