Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENT-12466: Various CFEngine SELinux policy fixes (3.21) #5647

Merged
merged 7 commits into from
Dec 3, 2024
Merged

ENT-12466: Various CFEngine SELinux policy fixes (3.21) #5647

merged 7 commits into from
Dec 3, 2024

Conversation

craigcomstock
Copy link
Contributor

@craigcomstock craigcomstock commented Dec 3, 2024
edited
Loading

No description provided.

@craigcomstock
Added filesystem and files unconfined access to cf-monitord in cfengi…
8b5488e 
…ne-enterprise SELinux policy

It was found in some situations that cf-monitord was attempting access to files and dirs with the user_home_dir_t type and being blocked.
cf-monitord needs full access to all filesystems and files.

Ticket: ENT-12446
Changelog: title
(cherry picked from commit f4bf792)
@craigcomstock
Adjusted SELinux policy to allow components which run cf-promises to …
018fe21 
…getattr everywhere and read symlinks

Seen on rhel-8 and rhel-9 with kernels 4.18.0 and 5.14.0 and policy version 33.

Applies to cf-monitord, cf-execd and cf-serverd.

Ticket: ENT-12466
Changelog: title
(cherry picked from commit f6f6af5)
@craigcomstock
Added sys_ptrace access for apachectl to run ps in CFEngine SELinux e…
0799b15 
…nterprise policy

Ticket: ENT-12466
Changelog: title
(cherry picked from commit b2e7a85)
@craigcomstock
Added getattr access for cf-serverd to socket file in CFEngine SELinu…
1a149c5 
…x policy

Ticket: ENT-12466
Changelog: title
(cherry picked from commit a2a0404)
@craigcomstock
Added getattr capability for cert_t:dir as needed to CFEngine compone…
46be40a 
…nts in cfengine-enterprise SELinux policy

Found to be needed in kernel policy version 33 on rhel-9 hub.

Ticket: ENT-12466
Changelog: title
(cherry picked from commit 3e6417d)
@craigcomstock
Added create capability on cfengine_var_lib_t:dir to cf-hub
3df0fcc 
Found to be needed for kernel policy version 33 on rhel-9 hub.

Ticket: ENT-12466
Changelog: title
(cherry picked from commit e285fb6)

 Conflicts:
	misc/selinux/cfengine-enterprise.te.all

cf-reactor does not yet process scheduled reports in 3.21.x so conflict here is due to removal in master/3.24.x: cfengine#5525
This was referenced Dec 3, 2024
Merged
Merged
Merged
@craigcomstock
Copy link
Contributor Author

Build Status

@craigcomstock craigcomstock marked this pull request as draft December 3, 2024 17:15
@craigcomstock
Copy link
Contributor Author

waiting on #5648 and 3.24.x testing which might surface more AVCs...

@craigcomstock
Granted more access to certificates directory for CFEngine components…
78d4483 
… in SELinux policy

Were found to be needed in 3.21.6a and 3.24.1a testing on rhel-9 hubs.
Policy works on rhel-8 as well.

Ticket: ENT-12466
Changelog: title
(cherry picked from commit 3741e3d)
@craigcomstock craigcomstock marked this pull request as ready for review December 3, 2024 18:16
@craigcomstock craigcomstock merged commit 0be3a13 into cfengine:3.21.x Dec 3, 2024
5 checks passed
@craigcomstock craigcomstock deleted the ENT-12466/3.21 branch December 3, 2024 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@craigcomstock