Bug #9791: Get rid of apache_content_template macro - SELinux - Foreman

Bug #9791

Get rid of apache_content_template macro

Added by Lukas Zapletal about 8 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Lukas Zapletal

Category:

General Foreman

Target version:

1.9.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman-selinux/pull/48

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

It looks like due to bug in RHEL 7.1 base policy, there is an issue with this macro. But looking on our codebase I think this template is now only used for helper scripts:

TE:
apache_content_template(foreman)
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
manage_files_pattern(httpd_foreman_script_t, foreman_log_t , foreman_log_t)
manage_files_pattern(httpd_foreman_script_t, foreman_var_run_t , foreman_var_run_t)
files_read_etc_files(httpd_foreman_script_t)
logging_send_syslog_msg(httpd_foreman_script_t)
miscfiles_read_localization(httpd_foreman_script_t)

FC:
/usr/share/foreman/script(/.*)?         gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)

# ls /usr/share/foreman/script -Z
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-config
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug.d
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-rake
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail.d
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 performance
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 rails
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 routes
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 show-missing-rails-locales.sh
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 update-rails-locales.sh

I think we can get rid of this and use either passenger_t for our helper scripts or define an alias.

Opinion Dominic?

Associated revisions

Revision 121d1aa7 (diff)
Added by Lukas Zapletal almost 8 years ago

Fixes #9791 - removed unused apache_template macro and types

History

#1 Updated by Dominic Cleal about 8 years ago

usr_t would probably suffice, like the rest of Foreman? We don't really confine processes run from the shell.

#2 Updated by Lukas Zapletal about 8 years ago

Yeah I really don't know why we have ever introduced the apache template interface. I don't remember us using CGI prior passenger or anything like that. Isn't possible this was because of Puppet Master or something?

I am fine with usr_t or something, I just want to doublecheck. I will likely fix this ASAP as we have a blocker downstream on RHEL 7.1.

#3 Updated by The Foreman Bot about 8 years ago

Status changed from New to Ready For Testing
Pull request https://github.com/theforeman/foreman-selinux/pull/48 added
Pull request deleted ()

#4 Updated by Dominic Cleal almost 8 years ago

Category set to General Foreman
Assignee set to Lukas Zapletal
Legacy Backlogs Release (now unused) set to 35

#5 Updated by Anonymous almost 8 years ago

Status changed from Ready For Testing to Closed
% Done changed from 0 to 100

Applied in changeset 121d1aa73e556056d33dc6feaf2bc2fb85fb44f2.

Also available in: Atom PDF

Project

General

Profile

Foreman » SELinux

Issues

Custom queries