From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 09 Jan 2012 15:33:10 -0500
Subject: [refpolicy] Contribute cfengine policy from Fedora to refpolicy
In-Reply-To: <20120109202650.GC3416@siphos.be>
References: <4F072DF9.2050806@redhat.com> <20120109202650.GC3416@siphos.be>
Message-ID: <4F0B4F06.40208@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2012 03:26 PM, Sven Vermeulen wrote:
> On Fri, Jan 06, 2012 at 12:23:05PM -0500, Daniel J Walsh wrote:
>> Please Review, and ack.
> [...]
> 
> Are you certain this one works? As far as I know, cfengine has a
> similar functionality to puppet, and the puppet policy has many
> more privileges. I also don't see any interfaces that can be used
> by administrators to interact with the cfengine components.
> 
> The cfengine reference manual also contains quite a few components
> that I don't see mentioned. Although some of them probably run
> pretty well in the caller domain (and as long as they're labeled
> bin_t that's okay) but I'm not sure that they don't need particular
> privileges in /var/cfengine(/.*)?
> 
> I'll see if I can stage a small VM to play with this a bit - just
> looks a bit strange to me.
> 
> Wkr, Sven Vermeulen 
> _______________________________________________ refpolicy mailing
> list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy

No I am not sure that this one works.  I know it is in our policy and
looks pretty comprehensive, not sure who wrote it.  I would figure
most of this needs to be unconfined like the puppet policy.   But It
seems like a good start to the policy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8LTwYACgkQrlYvE4MpobPK+wCgltKO4InNq6KnKU9HJB+siDHN
gOUAnjJ/wIuHyfN9JXgIqnbsPxIExZup
=alg6
-----END PGP SIGNATURE-----