ENT-13666: Added RHEL 10 specific SELinux policy#6035
ENT-13666: Added RHEL 10 specific SELinux policy#6035aleksandrychev wants to merge 1 commit intocfengine:masterfrom
Conversation
aleksandrychev
force-pushed
the
ENT-13666
branch
2 times, most recently
from
79bf50f to
8d52ad9
Compare
|
with this fix: |
| @@ -0,0 +1,69 @@ | |||
| require { | |||
| type cfengine_reactor_t; | |||
There was a problem hiding this comment.
I am suspicious about all the requires. I remember this biting us in the past. Look at other policies for hints on using macros for many includes instead.
There was a problem hiding this comment.
this comment still holds for the classes specified below. This commit: 721bbe2 vastly reduced the content in our .te.all file and made the policy more resilient to changes in selinux. So maybe check where the classes you DO include here are also included and use those high-level macros instead.
There was a problem hiding this comment.
right, kept only the types missing from .te.all.
| } | ||
|
|
||
| #============= cfengine_apachectl_t ============== | ||
| allow cfengine_apachectl_t devpts_t:dir { getattr search }; |
There was a problem hiding this comment.
Would be interesting to compare this to a standard apache httpd policy.
There was a problem hiding this comment.
devpts_t:dir { getattr search } — needed for ps to access terminal info, apachectl runs ps to check whether httpd processes are running.
There was a problem hiding this comment.
is there a way to inherit all the "standard" apachectl bits?
There was a problem hiding this comment.
Standard selinux apache policy has no apachectl type or domain at all https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/apache.te .
aleksandrychev
force-pushed
the
ENT-13666
branch
2 times, most recently
from
8b1eaf9 to
345d080
Compare
| } | ||
|
|
||
| #============= cfengine_apachectl_t ============== | ||
| allow cfengine_apachectl_t devpts_t:dir { getattr search }; |
There was a problem hiding this comment.
is there a way to inherit all the "standard" apachectl bits?
| @@ -0,0 +1,69 @@ | |||
| require { | |||
| type cfengine_reactor_t; | |||
There was a problem hiding this comment.
this comment still holds for the classes specified below. This commit: 721bbe2 vastly reduced the content in our .te.all file and made the policy more resilient to changes in selinux. So maybe check where the classes you DO include here are also included and use those high-level macros instead.
Ticket: ENT-13666 Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
aleksandrychev
force-pushed
the
ENT-13666
branch
from
345d080 to
bb48d08
Compare
3 participants
Ticket: ENT-13666