Skip to content

Added http_port and getattr selinux permissions as needed for selinux policy on rhel-8 and rhel-9 (3.21) #5797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 8, 2025
Merged

Added http_port and getattr selinux permissions as needed for selinux policy on rhel-8 and rhel-9 (3.21) #5797

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions misc/selinux/cfengine-enterprise.te.all
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ require {
type ssh_exec_t;
type ssh_home_t;
type rpm_script_t;
type fsadm_exec_t;
type lvm_exec_t;
class lockdown { confidentiality integrity };
class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind };
class mctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
Expand Down Expand Up @@ -403,6 +405,10 @@ allow init_t cfengine_hub_t:process siginh;
allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint;
allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open };

# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths standard library bundles agent instead of common.
allow cfengine_hub_t fsadm_exec_t:file getattr;
allow cfengine_hub_t lvm_exec_t:file getattr;

# allow cf-hub to use/execute libpromises.so
allow cfengine_hub_t cfengine_var_lib_t:file map;
allow cfengine_hub_t cfengine_var_lib_t:file execute;
Expand Down
6 changes: 6 additions & 0 deletions misc/selinux/cfengine-enterprise.te.el9
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
require {
type systemd_userdbd_runtime_t;
type http_port_t;
}

# PAM module for dynamic users
allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search };
allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;

# selinux-policy 38.1.45 requires the following http_port permissions whereas 3.14.3 does not.
# these permissions are not be needed if changes from ENT-12954 to masterfiles policy move inventory from common to an agent bundle are in place.
allow cfengine_serverd_t http_port_t:tcp_socket name_connect;
allow cfengine_execd_t http_port_t:tcp_socket name_connect;
Loading