Skip to content

ENT-14018: Added missing RHEL9 SELinux rules #6098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aleksandrychev wants to merge 1 commit into
base: master
Choose a base branch
from
+6 −6
Open

ENT-14018: Added missing RHEL9 SELinux rules #6098

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion misc/selinux/cfengine-enterprise.te.all
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ require {
attribute exec_type;
attribute non_security_file_type;
attribute non_auth_file_type;
type autofs_t;
type bin_t;
type cert_t;
type devlog_t;
Expand Down Expand Up @@ -393,6 +394,9 @@ allow cfengine_hub_t sssd_var_lib_t:sock_file write;
allow cfengine_hub_t sysctl_net_t:dir search;
allow cfengine_hub_t sysfs_t:dir read;
allow cfengine_hub_t sysfs_t:file { getattr open read };
allow cfengine_hub_t sysfs_t:lnk_file read;
allow cfengine_hub_t autofs_t:dir getattr;
allow cfengine_hub_t cfengine_httpd_exec_t:file getattr;
allow cfengine_hub_t syslogd_var_run_t:dir search;
allow cfengine_hub_t systemd_systemctl_exec_t:file getattr;
allow cfengine_hub_t tmp_t:sock_file write;
Expand Down Expand Up @@ -575,7 +579,7 @@ allow cfengine_httpd_t smtp_port_t:tcp_socket name_connect;
allow cfengine_httpd_t ldap_port_t:tcp_socket name_connect;

# allow PHP-FPM to use hugepages for opcache
allow cfengine_httpd_t hugetlbfs_t:file map;
allow cfengine_httpd_t hugetlbfs_t:file { map read write };

# allow PHP-FPM to lock opcache files in tmpfs
allow cfengine_httpd_t tmpfs_t:file lock;
Expand Down Expand Up @@ -744,6 +748,7 @@ allow cfengine_reactor_t postfix_spool_t:dir { add_name remove_name search write
allow cfengine_reactor_t postfix_spool_t:file { create getattr open read rename setattr write };
allow cfengine_reactor_t sendmail_exec_t:file map;
allow cfengine_reactor_t sendmail_exec_t:file { execute execute_no_trans open read };
allow cfengine_reactor_t smtp_port_t:tcp_socket name_connect;


#============= cfengine_action_script_t ==============
Expand Down
5 changes: 0 additions & 5 deletions misc/selinux/cfengine-enterprise.te.el10
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,12 @@ allow cfengine_apachectl_t user_devpts_t:chr_file getattr;
allow cfengine_execd_t http_port_t:tcp_socket name_connect;

#============= cfengine_httpd_t ==============
allow cfengine_httpd_t hugetlbfs_t:file { read write };
allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { open read getattr search };
allow cfengine_httpd_t systemd_userdbd_runtime_t:lnk_file read;
allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
allow cfengine_httpd_t systemd_userdbd_t:unix_stream_socket connectto;
allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;

#============= cfengine_hub_t ==============
allow cfengine_hub_t cfengine_httpd_exec_t:file getattr;
allow cfengine_hub_t sysfs_t:lnk_file read;

#============= cfengine_postgres_t ==============
allow cfengine_postgres_t systemd_userdbd_runtime_t:dir { open read getattr search };
allow cfengine_postgres_t systemd_userdbd_runtime_t:lnk_file read;
Expand Down
Loading