From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 9 Jan 2012 22:17:41 +0100
Subject: [refpolicy] Contribute cfengine policy from Fedora to refpolicy
In-Reply-To: <4F0B4F06.40208@redhat.com>
References: <4F072DF9.2050806@redhat.com> <20120109202650.GC3416@siphos.be>
	<4F0B4F06.40208@redhat.com>
Message-ID: <20120109211740.GI3416@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jan 09, 2012 at 03:33:10PM -0500, Daniel J Walsh wrote:
> > Are you certain this one works? As far as I know, cfengine has a
> > similar functionality to puppet, and the puppet policy has many
> > more privileges. I also don't see any interfaces that can be used
> > by administrators to interact with the cfengine components.
> > 
> > The cfengine reference manual also contains quite a few components
> > that I don't see mentioned. Although some of them probably run
> > pretty well in the caller domain (and as long as they're labeled
> > bin_t that's okay) but I'm not sure that they don't need particular
> > privileges in /var/cfengine(/.*)?
> > 
> > I'll see if I can stage a small VM to play with this a bit - just
> > looks a bit strange to me.
>  
> No I am not sure that this one works.  I know it is in our policy and
> looks pretty comprehensive, not sure who wrote it.  I would figure
> most of this needs to be unconfined like the puppet policy.   But It
> seems like a good start to the policy.

There's no "unconfined_domain" call in there, which you might want to add
then.

For me, I don't mind putting in modules that might not be fully finished yet
as long as they already have shown proper thought about domain naming (so
that future reshuffles aren't necessary) and the interfaces, as far as they
are already defined, are in good shape.

The rest is imo local to the policy and as such can be changed in future
revisions anyhow.

Style-wise, the module looks okay, so for me it's okay.

Wkr,
	Sven Vermeulen