Primary Selinux policy for tendrl #261
Conversation
|
This will provide selinux-carbon and tendrl-server-selinux packages @r0h4n , @nthomas-redhat , @shtripat , Please review |
|
@lukas Vrabec [email protected] Please review |
selinux/tendrl.te
Outdated
| type tendrl_unit_file_t; | ||
| systemd_unit_file(tendrl_unit_file_t) | ||
|
|
||
| type collectd_conf_t; |
There was a problem hiding this comment.
This type definition should be in collectd SELinux module.
There was a problem hiding this comment.
We do not have a separate policy for collectd.
Do you want to keep collectd in a separate policy?
Please suggest
selinux/tendrl.te
Outdated
| allow collectd_t collectd_conf_t:dir manage_dir_perms; | ||
| allow collectd_t self:capability { setuid chown sys_resource audit_write }; | ||
| allow collectd_t self:unix_stream_socket { connectto }; | ||
| allow dmidecode_t collectd_t:fifo_file { getattr open read }; |
There was a problem hiding this comment.
This twho rules should be fixed in dmidecote SELinux security module
There was a problem hiding this comment.
Sure, i will remove it from here!
selinux/tendrl.te
Outdated
| ') | ||
|
|
||
| optional_policy(` | ||
| tendrl_stub_collectd() |
There was a problem hiding this comment.
We don't need to stub collectd module here, you cna use collectd intrafaces and in rules where collectd_t is source context, this should be in collectd SELinux module
tendrl-api.spec
Outdated
| %{buildroot}%{_datadir}/selinux/packages | ||
|
|
||
| %post -n tendrl-server-selinux | ||
| %_format MODULE %{_datadir}/selinux/packages/tendrl.pp.bz2 |
There was a problem hiding this comment.
We have SELinux policy macros for this changes in post install phase. For more info see: https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_.25post_Section
There was a problem hiding this comment.
Sure, Thank you, i will use those macros
selinux/carbon.fc
Outdated
| @@ -11,5 +11,3 @@ | |||
| /var/log/carbon(/.*)? gen_context(system_u:object_r:carbon_log_t,s0) | |||
|
|
|||
| /var/run/carbon-(aggregator|cache)\.pid gen_context(system_u:object_r:carbon_var_run_t,s0) | |||
|
|
|||
| /var/log/graphite-web(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) | |||
There was a problem hiding this comment.
griphite_web should have graphite_log_t SELinux context
|
SELinux review done. |
|
Please link with git issue so that we can merge this. @TimothyAsir |
Initial selinux policy for tendrl server to run in permissive domain This provides the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Timothy Asir J <[email protected]>
Initial selinux policy for tendrl server to run in permissive domain This provides the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Timothy Asir J <[email protected]>
Initial selinux policy for tendrl server to run in permissive domain This provides selinux permissive policies for tendrl-server, grafana and carbon with the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Timothy Asir J <[email protected]>
Initial selinux policy for tendrl server to run in permissive domain This provides selinux permissive policies for tendrl-server, grafana and carbon with the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Timothy Asir J <[email protected]>
Initial selinux policy for tendrl server to run in permissive domain This provides selinux permissive policies for tendrl-server, grafana and carbon with the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Lukas Vrabec <[email protected]> Signed-off-by: Timothy Asir J <[email protected]>
Initial selinux policy for tendrl server to run in permissive domain This provides selinux permissive policies for tendrl-server, grafana and carbon with the following features: - Allows tendrl processes to run in permissive mode - Perform checks but will not enforce - Users don't have to switch to permissive mode globally - Allows to catch AVC messages Signed-off-by: Lukas Vrabec <[email protected]> Signed-off-by: Timothy Asir J <[email protected]>
TimothyAsirJeyasing
force-pushed
the
tendrl-selinux
branch
from
b0b8b56 to
77be921
Compare
Initial selinux policy for tendrl server to run in permissive domain
This provides the following features:
tendrl-bug-id: #279
Signed-off-by: Timothy Asir J [email protected]