Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENT-12466: SELinux fixes for kernel policy version 33 on rhel-9 hubs #5640

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

ENT-12466: SELinux fixes for kernel policy version 33 on rhel-9 hubs #5640

wants to merge 3 commits into from

Conversation

craigcomstock
Copy link
Contributor

  • wip
  • Added getattr capability for cert_t:dir as needed to CFEngine components in cfengine-enterprise SELinux policy
  • Added create capability on cfengine_var_lib_t:dir to cf-hub

@craigcomstock
wip
2a85d64
@craigcomstock
Added getattr capability for cert_t:dir as needed to CFEngine compone…
8df7e9c 
…nts in cfengine-enterprise SELinux policy

Found to be needed in kernel policy version 33 on rhel-9 hub.

Ticket: ENT-12466
Changelog: title
@craigcomstock
Added create capability on cfengine_var_lib_t:dir to cf-hub
1414b72 
Found to be needed for kernel policy version 33 on rhel-9 hub.

Ticket: ENT-12466
Changelog: title
@craigcomstock craigcomstock marked this pull request as draft November 27, 2024 22:19
craigcomstock
craigcomstock commented Nov 27, 2024
View reviewed changes
misc/selinux/cfengine-enterprise.te.all
@@ -199,6 +199,9 @@ allow cfengine_agent_t cfengine_agent_exec_t:file { ioctl read getattr lock map
# cf-agent needs to be able to transition into the domain of RPM scriplets
allow cfengine_agent_t rpm_script_t:process transition;

# cf-agent calls yum which in turns needs audit_write TODO WHY?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't reproduce this one on master just yet, will have to go find it again.

craigcomstock
craigcomstock commented Nov 27, 2024
View reviewed changes
misc/selinux/cfengine-enterprise.te.all
@@ -306,6 +309,10 @@ allow cfengine_monitord_t proc_security_t:file { getattr open read };
# TODO: this should not be needed
allow cfengine_monitord_t proc_xen_t:dir search;

# cf-monitord needs to stop cf-execd? TODO: WHY? WHERE? HOW?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't reproduce this one on master just yet, will have to go find it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@craigcomstock