From 981eb022331d721de9a60efd700248d2c5acf526 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 3 Dec 2024 11:00:36 -0600 Subject: [PATCH] Added read and open access for cert_t:dir to httpd, postgres and cf-hub Was found to be needed in 3.21.6a testing on rhel-9 hub. Ticket: ENT-12466 Changelog: title libre --- misc/selinux/cfengine-enterprise.te.all | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 7e075aabfd..5042ecc01b 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -424,7 +424,7 @@ allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink }; allow cfengine_hub_t bin_t:file map; allow cfengine_hub_t bin_t:file { execute execute_no_trans }; -allow cfengine_hub_t cert_t:dir { search getattr }; +allow cfengine_hub_t cert_t:dir { getattr open read search }; allow cfengine_hub_t cert_t:file { getattr open read }; allow cfengine_hub_t crontab_exec_t:file getattr; allow cfengine_hub_t devlog_t:lnk_file read; @@ -513,7 +513,7 @@ allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open create allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind; -allow cfengine_postgres_t cert_t:dir { search getattr }; +allow cfengine_postgres_t cert_t:dir { getattr open read search }; allow cfengine_postgres_t cert_t:file { getattr open read }; allow cfengine_postgres_t hugetlbfs_t:file map; allow cfengine_postgres_t hugetlbfs_t:file { read write }; @@ -575,7 +575,7 @@ allow init_t cfengine_httpd_t:process siginh; allow cfengine_httpd_t cfengine_httpd_exec_t:file entrypoint; allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open }; -allow cfengine_httpd_t cert_t:dir { search getattr }; +allow cfengine_httpd_t cert_t:dir { getattr open read search }; allow cfengine_httpd_t cert_t:file { getattr open read }; allow cfengine_httpd_t cert_t:lnk_file read; allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans;