Project

General

Profile

Actions

Bug #9791

closed

Get rid of apache_content_template macro

Added by Lukas Zapletal over 9 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
General Foreman
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

It looks like due to bug in RHEL 7.1 base policy, there is an issue with this macro. But looking on our codebase I think this template is now only used for helper scripts:

TE:
apache_content_template(foreman)
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
manage_files_pattern(httpd_foreman_script_t, foreman_log_t , foreman_log_t)
manage_files_pattern(httpd_foreman_script_t, foreman_var_run_t , foreman_var_run_t)
files_read_etc_files(httpd_foreman_script_t)
logging_send_syslog_msg(httpd_foreman_script_t)
miscfiles_read_localization(httpd_foreman_script_t)

FC:
/usr/share/foreman/script(/.*)?         gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)

# ls /usr/share/foreman/script -Z
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-config
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-debug.d
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-rake
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 foreman-tail.d
drwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 performance
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 rails
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 routes
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 show-missing-rails-locales.sh
-rwxr-xr-x. root root system_u:object_r:httpd_foreman_script_exec_t:s0 update-rails-locales.sh

I think we can get rid of this and use either passenger_t for our helper scripts or define an alias.

Opinion Dominic?

Actions #1

Updated by Dominic Cleal over 9 years ago

usr_t would probably suffice, like the rest of Foreman? We don't really confine processes run from the shell.

Actions #2

Updated by Lukas Zapletal over 9 years ago

Yeah I really don't know why we have ever introduced the apache template interface. I don't remember us using CGI prior passenger or anything like that. Isn't possible this was because of Puppet Master or something?

I am fine with usr_t or something, I just want to doublecheck. I will likely fix this ASAP as we have a blocker downstream on RHEL 7.1.

Actions #3

Updated by The Foreman Bot over 9 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/48 added
  • Pull request deleted ()
Actions #4

Updated by Dominic Cleal about 9 years ago

  • Category set to General Foreman
  • Assignee set to Lukas Zapletal
  • Translation missing: en.field_release set to 35
Actions #5

Updated by Anonymous about 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF