From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] puppet.patch
Date: Thu, 27 Aug 2009 10:54:56 -0400 [thread overview]
Message-ID: <4A969E40.7050204@redhat.com> (raw)
In-Reply-To: <1251381799.8357.52.camel@gorn.columbia.tresys.com>
On 08/27/2009 10:03 AM, Christopher J. PeBenito wrote:
> On Thu, 2009-08-27 at 09:16 -0400, Daniel J Walsh wrote:
>> On 08/26/2009 07:45 PM, Grube, Craig wrote:
>>>
>>> The attached patch contains policy for Puppet, a configuration
>>> management tool. It contains two new services, for the client and
>>> server components of Puppet, and adds a new network port type for
>>> Puppet's use.
>>>
>>> If any changes are desired please let me know and I will provide
>>> updated patches as my schedule permits.
>>
>> What is your security goals for puppet? Are you going to allow it to
>> write to anywhere on the system? Seems that a configuration system
>> like puppet needs to have full access unless a user can specify his
>> security goals.
>
> I don't agree with full access being needed. Its a configuration
> management system, so it seems that a reasonable starting policy would
> be able to manage files in /etc, in addition to doing things like run
> useradd, semanage, mount, ifconfig, etc.
>
Also needs to be able to install rpm, but I have seen puppet used to move files all over the place, such as apache content.
I am not sure you are getting a great increase in security if I have all of these capabilities.
I guess we could write policy that defaults puppet to unconfined_t and then have people choose to run a tighter policy around what puppet is actually doing on their machine.
next prev parent reply other threads:[~2009-08-27 14:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-26 23:45 [refpolicy] puppet.patch Grube, Craig
2009-08-27 10:31 ` Dominick Grift
2009-08-27 13:24 ` Grube, Craig
2009-08-27 14:20 ` Dominick Grift
2009-08-27 13:16 ` Daniel J Walsh
2009-08-27 14:03 ` Christopher J. PeBenito
2009-08-27 14:54 ` Daniel J Walsh [this message]
2009-08-27 14:56 ` Grube, Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A969E40.7050204@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.