ENT-13666: Added RHEL 10 specific SELinux policy#6035
ENT-13666: Added RHEL 10 specific SELinux policy#6035aleksandrychev wants to merge 1 commit intocfengine:masterfrom
Conversation
aleksandrychev
force-pushed
the
ENT-13666
branch
2 times, most recently
from
79bf50f to
8d52ad9
Compare
|
with this fix: |
| allow cfengine_apachectl_t user_devpts_t:chr_file getattr; | ||
|
|
||
| #============= cfengine_execd_t ============== | ||
| allow cfengine_execd_t http_port_t:tcp_socket name_connect; |
There was a problem hiding this comment.
Any clue why cf-execd (and cf-serverd below) want to be able to connect to HTTP? Something new in pre-eval?
There was a problem hiding this comment.
yeah, would be good to reference masterfiles. Maybe it is us trying to query the aws api in inventory!?
There was a problem hiding this comment.
yes inventory, added comment https://github.com/cfengine/masterfiles/blob/master/inventory/any.cf#L656-L680
There was a problem hiding this comment.
Oh, we actually have it commented in the EL9 policy. Please do the same here.
There was a problem hiding this comment.
Btw, @craigcomstock it's "your" ticket and marked as DONE so we may need to adjust something somewhere 😁
There was a problem hiding this comment.
that has been fixed: ent-13666 is in review and assigned to Igor. 👍
| @@ -0,0 +1,69 @@ | |||
| require { | |||
| type cfengine_reactor_t; | |||
There was a problem hiding this comment.
I am suspicious about all the requires. I remember this biting us in the past. Look at other policies for hints on using macros for many includes instead.
| } | ||
|
|
||
| #============= cfengine_apachectl_t ============== | ||
| allow cfengine_apachectl_t devpts_t:dir { getattr search }; |
There was a problem hiding this comment.
Would be interesting to compare this to a standard apache httpd policy.
| allow cfengine_apachectl_t user_devpts_t:chr_file getattr; | ||
|
|
||
| #============= cfengine_execd_t ============== | ||
| allow cfengine_execd_t http_port_t:tcp_socket name_connect; |
There was a problem hiding this comment.
yeah, would be good to reference masterfiles. Maybe it is us trying to query the aws api in inventory!?
aleksandrychev
force-pushed
the
ENT-13666
branch
from
8d52ad9 to
8b1eaf9
Compare
Ticket: ENT-13666 Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
aleksandrychev
force-pushed
the
ENT-13666
branch
from
8b1eaf9 to
345d080
Compare
3 participants
Ticket: ENT-13666