Skip to content

ENT-13666: Added RHEL 10 specific SELinux policy #6035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aleksandrychev wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ENT-13666: Added RHEL 10 specific SELinux policy #6035

aleksandrychev wants to merge 1 commit into from
+72 −0

Conversation

@aleksandrychev
Copy link
Contributor

@aleksandrychev aleksandrychev commented Feb 10, 2026

Ticket: ENT-13666

@aleksandrychev aleksandrychev force-pushed the ENT-13666 branch 2 times, most recently from 79bf50f to 8d52ad9 Compare February 10, 2026 09:49
@aleksandrychev
Copy link
Contributor Author

aleksandrychev commented Feb 10, 2026
edited
Loading

with this fix:

sudo ausearch -m avc -ts recent
<no matches>

vpodzime
vpodzime reviewed Feb 10, 2026
View reviewed changes
misc/selinux/cfengine-enterprise.te.el10
allow cfengine_apachectl_t user_devpts_t:chr_file getattr;

#============= cfengine_execd_t ==============
allow cfengine_execd_t http_port_t:tcp_socket name_connect;
Copy link
Contributor

@vpodzime vpodzime Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any clue why cf-execd (and cf-serverd below) want to be able to connect to HTTP? Something new in pre-eval?

Copy link
Contributor

@craigcomstock craigcomstock Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, would be good to reference masterfiles. Maybe it is us trying to query the aws api in inventory!?

Copy link
Contributor Author

@aleksandrychev aleksandrychev Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes inventory, added comment https://github.com/cfengine/masterfiles/blob/master/inventory/any.cf#L656-L680

Copy link
Contributor

@vpodzime vpodzime Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, we actually have it commented in the EL9 policy. Please do the same here.

Copy link
Contributor

@vpodzime vpodzime Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw, @craigcomstock it's "your" ticket and marked as DONE so we may need to adjust something somewhere 😁

Copy link
Contributor

@craigcomstock craigcomstock Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that has been fixed: ent-13666 is in review and assigned to Igor. 👍

craigcomstock
craigcomstock reviewed Feb 10, 2026
View reviewed changes
misc/selinux/cfengine-enterprise.te.el10
@@ -0,0 +1,69 @@
require {
type cfengine_reactor_t;
Copy link
Contributor

@craigcomstock craigcomstock Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am suspicious about all the requires. I remember this biting us in the past. Look at other policies for hints on using macros for many includes instead.

misc/selinux/cfengine-enterprise.te.el10
}

#============= cfengine_apachectl_t ==============
allow cfengine_apachectl_t devpts_t:dir { getattr search };
Copy link
Contributor

@craigcomstock craigcomstock Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be interesting to compare this to a standard apache httpd policy.

misc/selinux/cfengine-enterprise.te.el10
allow cfengine_apachectl_t user_devpts_t:chr_file getattr;

#============= cfengine_execd_t ==============
allow cfengine_execd_t http_port_t:tcp_socket name_connect;
Copy link
Contributor

@craigcomstock craigcomstock Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, would be good to reference masterfiles. Maybe it is us trying to query the aws api in inventory!?

@aleksandrychev
Added RHEL 10 specific SELinux policy
345d080 
Ticket: ENT-13666
Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vpodzime vpodzime vpodzime left review comments

@craigcomstock craigcomstock craigcomstock left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aleksandrychev @vpodzime @craigcomstock