Bug #9791
closed
Get rid of apache_content_template macro
Description
It looks like due to bug in RHEL 7.1 base policy, there is an issue with this macro. But looking on our codebase I think this template is now only used for helper scripts:
TE: apache_content_template(foreman) manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t) manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t) manage_files_pattern(httpd_foreman_script_t, foreman_log_t , foreman_log_t) manage_files_pattern(httpd_foreman_script_t, foreman_var_run_t , foreman_var_run_t) files_read_etc_files(httpd_foreman_script_t) logging_send_syslog_msg(httpd_foreman_script_t) miscfiles_read_localization(httpd_foreman_script_t) FC: /usr/share/foreman/script(/.*)? gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0) # ls /usr/share/foreman/script -Z -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-config -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug.d -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-rake -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail.d drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 performance -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 rails -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 routes -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 show-missing-rails-locales.sh -rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 update-rails-locales.sh
I think we can get rid of this and use either passenger_t for our helper scripts or define an alias.
Opinion Dominic?
Updated by Dominic Cleal almost 10 years ago
usr_t would probably suffice, like the rest of Foreman? We don't really confine processes run from the shell.
Updated by Lukas Zapletal almost 10 years ago
Yeah I really don't know why we have ever introduced the apache template interface. I don't remember us using CGI prior passenger or anything like that. Isn't possible this was because of Puppet Master or something?
I am fine with usr_t or something, I just want to doublecheck. I will likely fix this ASAP as we have a blocker downstream on RHEL 7.1.
Updated by The Foreman Bot almost 10 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-selinux/pull/48 added
- Pull request deleted (
)
Updated by Dominic Cleal almost 10 years ago
- Category set to General Foreman
- Assignee set to Lukas Zapletal
- Translation missing: en.field_release set to 35
Updated by Anonymous almost 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 121d1aa73e556056d33dc6feaf2bc2fb85fb44f2.