Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.21.x] A round of SELinux policy updates and fixes #5364

Merged
merged 6 commits into from
Nov 8, 2023
Merged

[3.21.x] A round of SELinux policy updates and fixes #5364

merged 6 commits into from
Nov 8, 2023

Commits on Nov 8, 2023

  1. Allow CFEngine daemons to access to proc_security_t files 

    These are security parameters of the system found under
/proc/sys/kernel. Allow **read** access is fine although our
daemons normally shoudln't require this information (`cf-agent`
is allowed this access already).

Ticket: ENT-9684
Changelog: SELinux no longer blocks CFEngine deamons in reading security parameters from /proc/sys/kernel
(cherry picked from commit 1ab8859)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    34bd927 View commit details
    Browse the repository at this point in the history

  2. Allow cf-hub to request loading of the TLS kernel module 

    Ticket: ENT-9727
Changelog: cf-hub is now allowed to use the TLS kernel module on
           SELinux-enabled systems
(cherry picked from commit 982fb68)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    592d04c View commit details
    Browse the repository at this point in the history

  3. Add missing SELinux rules for httpd querying users 

    On RHEL 9 there so-called dynamic users handled by systemd. httpd
needs to be able access the related directory and socket to
query user information.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 91bd050)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    79021cb View commit details
    Browse the repository at this point in the history

  4. Various small SELinux fixes 

    Allowing systemd to properly start and check our services,
PostgreSQL to create and open the `/tmp/.s.PGSQL.5432.lock` file,
ifconfig spawned by cf-hub to actually run as ifconfig_t, etc.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 3439279)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    7ab715c View commit details
    Browse the repository at this point in the history

  5. Enable building platform-specific SELinux policies 

    We need a different SELinux policy on RHEL 9 and RHEL 8 because
the latter doesn't support all the types required by the policy
for the former.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 3bf6540)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    cbc8692 View commit details
    Browse the repository at this point in the history

  6. Introduce RHEL 9 specific SELinux policy 

    The type `systemd_userdbd_runtime_t` is only available on RHEL 9
and so RHEL 8 policy cannot contain it.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit ba92b7b)
    @vpodzime
    vpodzime committed Nov 8, 2023
    Configuration menu
    Copy the full SHA
    caa60b6 View commit details
    Browse the repository at this point in the history