Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A round of SELinux policy updates and fixes #5358

Merged
merged 6 commits into from
Nov 8, 2023
Merged

A round of SELinux policy updates and fixes #5358

merged 6 commits into from
Nov 8, 2023

Conversation

vpodzime
Copy link
Contributor

@vpodzime vpodzime commented Nov 1, 2023

No description provided.

nickanderson
nickanderson previously approved these changes Nov 1, 2023
View reviewed changes
@vpodzime vpodzime force-pushed the master-selinux_fixes_10_2023 branch 4 times, most recently from 2173081 to 8430062 Compare November 3, 2023 10:12
olehermanse
olehermanse approved these changes Nov 7, 2023
View reviewed changes
Copy link
Member

@olehermanse olehermanse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable to me, added some opinions on the changelog entries, but they are "low severity" :)

misc/selinux/cfengine-enterprise.te Show resolved Hide resolved
misc/selinux/cfengine-enterprise.te Show resolved Hide resolved
@vpodzime
Allow CFEngine daemons to access to proc_security_t files
1ab8859 
These are security parameters of the system found under
/proc/sys/kernel. Allow **read** access is fine although our
daemons normally shoudln't require this information (`cf-agent`
is allowed this access already).

Ticket: ENT-9684
Changelog: SELinux no longer blocks CFEngine deamons in reading security parameters from /proc/sys/kernel
@vpodzime
Allow cf-hub to request loading of the TLS kernel module
982fb68 
Ticket: ENT-9727
Changelog: cf-hub is now allowed to use the TLS kernel module on
           SELinux-enabled systems
@vpodzime
Add missing SELinux rules for httpd querying users
91bd050 
On RHEL 9 there so-called dynamic users handled by systemd. httpd
needs to be able access the related directory and socket to
query user information.

Ticket: ENT-9727
Changelog: None
@vpodzime
Various small SELinux fixes
3439279 
Allowing systemd to properly start and check our services,
PostgreSQL to create and open the `/tmp/.s.PGSQL.5432.lock` file,
ifconfig spawned by cf-hub to actually run as ifconfig_t, etc.

Ticket: ENT-9727
Changelog: None
@vpodzime
Enable building platform-specific SELinux policies
3bf6540 
We need a different SELinux policy on RHEL 9 and RHEL 8 because
the latter doesn't support all the types required by the policy
for the former.

Ticket: ENT-9727
Changelog: None
@vpodzime
Introduce RHEL 9 specific SELinux policy
ba92b7b 
The type `systemd_userdbd_runtime_t` is only available on RHEL 9
and so RHEL 8 policy cannot contain it.

Ticket: ENT-9727
Changelog: None
@vpodzime vpodzime force-pushed the master-selinux_fixes_10_2023 branch from 8430062 to ba92b7b Compare November 8, 2023 09:05
@vpodzime vpodzime merged commit a2e99c3 into cfengine:master Nov 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olehermanse olehermanse olehermanse approved these changes

@nickanderson nickanderson Awaiting requested review from nickanderson

@craigcomstock craigcomstock Awaiting requested review from craigcomstock

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vpodzime @nickanderson @olehermanse