Skip to content

Commit

Permalink
Added selinux policy to allow cf-hub to initiate scheduled reports
Browse files Browse the repository at this point in the history 
cfengine/nova@8b8726e
changed cf-hub behavior for ENT-9825

This change fixes an issue with hubs that have SELinux set to enforce.
Hubs which do not have SELinux set to enforce are unaffected by this issue.

Ticket: ENT-10696
Changelog: title
(cherry picked from commit 48ed76f)
  • Loading branch information
@craigcomstock
craigcomstock committed Sep 28, 2023
1 parent df829de commit 16c5c66
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions misc/selinux/cfengine-enterprise.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,8 @@ type cfengine_hub_t;
typeattribute cfengine_hub_t domain;
role system_r types cfengine_hub_t;

# cf-hub uses setuid/setgid to initiate scheduled reports as cfapache:cfpostgres
allow cfengine_hub_t self:capability { setgid setuid };
# /var/cfengine/bin/cf-hub has the 'cfengine_hub_exec_t' context which is an
# entrypoint for the 'cfengine_hub_t' domain
type cfengine_hub_exec_t;
Expand Down

0 comments on commit 16c5c66

Please sign in to comment.