Refactor #5877
closed
Introduce foreman_t domain
Added by Lukas Zapletal over 10 years ago.
Updated about 2 years ago.
Description
Since Passenger 4.0 which allows us to change context of running apps is now both upstream and downstream, we should refactor our policy:
- introduce passenger wrapper scripts for foreman (and katello?)
- move foreman rules from passenger_t to the foreman_t
- review httpd_t domain and rules (do we need it?)
- tighten things up and do cleanup
Also there is one block "passenger_run_puppetmaster" which we can refactor/get rid of only after we migrate foreman into separate domain and we will be able to determine which of these rules are required by foreman and which of these can go away.
It would be good to work with SELinux team to create rules in the base puppet policy (optional, by default turned off because it does not use passenger by default). But that would be better place to carry those.
This is very old and we have a foreman_rails_t domain now. Is this still needed or can it be closed?
- Status changed from New to Closed
Yeah feel free to close, there will probably be more of these "ideas" that got implemented along the way.
Also available in: Atom
PDF
Updated by 
Updated by