Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[3.18.x] A round of SELinux policy updates and fixes #5365

Merged
merged 6 commits into from
Nov 8, 2023

Conversation

vpodzime
Copy link
Contributor

@vpodzime vpodzime commented Nov 8, 2023

No description provided.

These are security parameters of the system found under
/proc/sys/kernel. Allow **read** access is fine although our
daemons normally shoudln't require this information (`cf-agent`
is allowed this access already).

Ticket: ENT-9684
Changelog: SELinux no longer blocks CFEngine deamons in reading security parameters from /proc/sys/kernel
(cherry picked from commit 1ab8859)
Ticket: ENT-9727
Changelog: cf-hub is now allowed to use the TLS kernel module on
           SELinux-enabled systems
(cherry picked from commit 982fb68)
On RHEL 9 there so-called dynamic users handled by systemd. httpd
needs to be able access the related directory and socket to
query user information.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 91bd050)
Allowing systemd to properly start and check our services,
PostgreSQL to create and open the `/tmp/.s.PGSQL.5432.lock` file,
ifconfig spawned by cf-hub to actually run as ifconfig_t, etc.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 3439279)
We need a different SELinux policy on RHEL 9 and RHEL 8 because
the latter doesn't support all the types required by the policy
for the former.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit 3bf6540)
The type `systemd_userdbd_runtime_t` is only available on RHEL 9
and so RHEL 8 policy cannot contain it.

Ticket: ENT-9727
Changelog: None
(cherry picked from commit ba92b7b)
@vpodzime vpodzime changed the title [3.18.x] A round of SELinux policy updates and fixes3.18.x selinux fixes 10 2023 [3.18.x] A round of SELinux policy updates and fixes Nov 8, 2023
@vpodzime vpodzime merged commit 0cc7d1a into cfengine:3.18.x Nov 8, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

1 participant