Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

include missing rpm pkg managers #1057

Closed
wants to merge 2 commits into from
Closed

include missing rpm pkg managers #1057

wants to merge 2 commits into from

Conversation

carlosrodfern
Copy link

@carlosrodfern carlosrodfern commented Aug 7, 2024
edited
Loading

This commit includes missing rpm pkg managers paths in the policies.

Also, in fedora, centos stream and redhat, dnf is actually a link to dnf-3, so the existing /usr/bin/dnf block doesn't work.

$ podman run -it quay.io/fedora/fedora:latest ls -l /usr/bin/dnf
lrwxrwxrwx. 1 root root 5 Nov 14  2023 /usr/bin/dnf -> dnf-3

$ podman run -it docker.io/redhat/ubi8:latest ls -l /usr/bin/dnf
lrwxrwxrwx. 1 root root 5 Oct 16  2023 /usr/bin/dnf -> dnf-3

$ podman run -it docker.io/redhat/ubi9:latest ls -l /usr/bin/dnf
lrwxrwxrwx. 1 root root 5 Jun 29  2023 /usr/bin/dnf -> dnf-3

$ podman run -it quay.io/centos/centos:stream9 ls -l /usr/bin/dnf
lrwxrwxrwx. 1 root root 5 Jun 29  2023 /usr/bin/dnf -> dnf-3

$ podman run -it docker.io/redhat/ubi9-minimal:latest ls -l /usr/bin/microdnf
-rwxr-xr-x. 1 root root 104904 Jan  6  2023 /usr/bin/microdnf

$ podman run -it docker.io/redhat/ubi8-minimal:latest ls -l /usr/bin/microdnf
-rwxr-xr-x. 1 root root 102352 May 21  2021 /usr/bin/microdnf

/usr/bin/dnf5 is not part of the fedora container yet, but it is in regular fedora, so it will eventually find its way to it.

I also added a commit to include /usr/sbin when /sbin is referenced, since in redhat and fedora systems, /sbin is a link to /usr/sbin. They were merged long ago. There is also an effort going on in Fedora right now to merge /usr/sbin with /usr/bin, which will be reflected in enterprise linux OS eventually.

@carlosrodfern
include missing rpm pkg managers
a3a3a94 
Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
@carlosrodfern
fix process match for /sbin for redhat linux sys
a2a0229 
In redhat and fedora systems, /sbin/ is a symlink to
/usr/sbin, preventing the process match from catching
the execs.

Signed-off-by: Carlos Rodriguez-Fernandez <[email protected]>
@daemon1024
Copy link
Member

I think we are going to start moving towards using execname that would solve this problem all together.
#1054

@daemon1024
Copy link
Member

We will need to understand what would be the best case to handle the dnf-3 problem.

@carlosrodfern
Copy link
Author

carlosrodfern commented Aug 8, 2024
edited
Loading

@daemon1024 , regarding the dnf-3, it was done in preparation for dnf5: dnf will eventually be a link to dnf5 instead.

Regarding execname for /usr/sbin/ and /sbin, there are those rules targeting "system" tools in general, so maintaining the full list will be difficult across distro. That being said everything will be merged under /usr/bin eventually, so that classification of "system commands" vs regular commands will no longer hold. It will take a while before that comes to fruition, though. Lots of obstacles.

@carlosrodfern
Copy link
Author

I created a separate PR for the release branch which is the one containing the execname approach: #1059

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@carlosrodfern @daemon1024