> > Just out of curiosity, are you going to double wrap this in a Java > Security Policy for those systems that don't have SELinux? >
IFAIK JSP and SELinux are two different technologies with different goals. JSP can't protect you from security bugs in JVM and the granulality is much lower than syscall-based SELinux. My ultimate goal is to do minimum work required in Puppet upstream to be able to build SELinux policies around it. The main reason why we discuss this here is because puppet has one command (binary file) to do variulous things - one subcommand spawns Puppet Master server (subject of SELinux confinement) and also spawns agent or helper sub-commands which are not subject of this. If there are subbinaries like in with (git -> git-commit or git-push) there is no need of patching Puppet binary at all. -- S pozdravem / Best regards Lukas Zapletal -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAE6MHmy3W-3dnwayVqaOLxcycf5tdgASiYnA854j3jwvudYt4Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
