So, does anyone here have grsec running underneath a change-config setup like puppet or cfengine with a daemon living on the local box that checks a central server for changes, all changes being negotiated through that daemon? Any ideas on how I could go about setting up an ACL for a situation like that, with a daemon/process running that should have proper rootly-powers to change just about anything and everything (maybe even /etc/grsec/policy? thoughts?), but also have everything else locked down? Specifically, we're thinking of setting up puppet in our environment, and we want the puppetd client to be able to make changes where it needs to make changes, but we also want to not open ourselves up wide to the l33t-h4xx0rz of the world. Thoughts, anyone?
Many thanks in advance!