From ba92b7b036710461f6965ff8e78e39208e61ef94 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Wed, 1 Nov 2023 16:11:53 +0100 Subject: [PATCH] Introduce RHEL 9 specific SELinux policy The type `systemd_userdbd_runtime_t` is only available on RHEL 9 and so RHEL 8 policy cannot contain it. Ticket: ENT-9727 Changelog: None --- misc/selinux/Makefile.am | 1 + misc/selinux/cfengine-enterprise.te.all | 6 ------ misc/selinux/cfengine-enterprise.te.el9 | 8 ++++++++ 3 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 misc/selinux/cfengine-enterprise.te.el9 diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index 788c5402ea..870b866b30 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -17,5 +17,6 @@ endif # explicit DISTFILES are required for these files to be part of a 'make dist' # tarball even without running './configure --with-selinux-policy' DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all +DISTFILES += cfengine-enterprise.te.el9 CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 3188e40c98..d8d58639c8 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -75,7 +75,6 @@ require { type syslogd_var_run_t; type system_dbusd_t; type system_dbusd_var_run_t; - type systemd_userdbd_runtime_t; type tmp_t; type tmpfs_t; role system_r; @@ -643,11 +642,6 @@ allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename }; allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read }; allow cfengine_httpd_t var_t:dir read; -# PAM module for dynamic users -allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; -allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; -allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; - # apparently, httpd creates some temporary bits in /tmp that it needs to mmap() allow cfengine_httpd_t tmp_t:file map; diff --git a/misc/selinux/cfengine-enterprise.te.el9 b/misc/selinux/cfengine-enterprise.te.el9 new file mode 100644 index 0000000000..25b31a0c95 --- /dev/null +++ b/misc/selinux/cfengine-enterprise.te.el9 @@ -0,0 +1,8 @@ +require { + type systemd_userdbd_runtime_t; +} + +# PAM module for dynamic users +allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search }; +allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; +allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;