From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 1 Jan 2013 11:50:20 +0100
Subject: [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet
In-Reply-To: <1357037236.2088.15.camel@localhost>
References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be>
	<1356994351-29191-7-git-send-email-sven.vermeulen@siphos.be>
	<1357037236.2088.15.camel@localhost>
Message-ID: <CAPzO=Nxvb1jP=SPvDyw2qhcxQ-1YWaBhR5UcCX-6aiWRtsMNnw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Jan 1, 2013 at 11:47 AM, grift <dominick.grift@gmail.com> wrote:

> On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> > While gathering information, puppet invokes lspci, which requires the
> sys_admin
> > capability.
> >
>
> I gather that puppet loses functionality if this permission is
> dontaudited?
>
> sys_admin is a very broad capability


Yes; it is needed to gather the facts (configuration settings puppet
receives from a system and uses to build its decisions on) of the system.

Puppet is a system administration tool so it makes sense that it needs this
privilege. It prob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130101/169bcf2a/attachment.html