Refactor #5877
closedIntroduce foreman_t domain
Description
Since Passenger 4.0 which allows us to change context of running apps is now both upstream and downstream, we should refactor our policy:
- introduce passenger wrapper scripts for foreman (and katello?)
- move foreman rules from passenger_t to the foreman_t
- review httpd_t domain and rules (do we need it?)
- tighten things up and do cleanup
Updated by Lukas Zapletal over 10 years ago
Also there is one block "passenger_run_puppetmaster" which we can refactor/get rid of only after we migrate foreman into separate domain and we will be able to determine which of these rules are required by foreman and which of these can go away.
It would be good to work with SELinux team to create rules in the base puppet policy (optional, by default turned off because it does not use passenger by default). But that would be better place to carry those.
Updated by Ewoud Kohl van Wijngaarden about 2 years ago
This is very old and we have a foreman_rails_t domain now. Is this still needed or can it be closed?
Updated by Lukas Zapletal about 2 years ago
- Status changed from New to Closed
Yeah feel free to close, there will probably be more of these "ideas" that got implemented along the way.