Actions
Bug #19764
closedArchitecture #19746: Move SELinux policy application into postinst script
Bug #19760: Don't reset permission on root.pem
Incorrect permissions on relay certificates
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
Description
RHEL8:
drwxr-x---. 2 root rudder system_u:object_r:var_t:s0 140 Aug 12 09:08 . drwxr-xr-x. 4 root root system_u:object_r:var_t:s0 30 Aug 12 08:57 .. -rw-r--r--. 1 root root system_u:object_r:var_t:s0 0 Aug 12 08:35 .placeholder -rw-rw----. 1 root rudder system_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 09:08 allnodescerts.pem -rw-r-----. 1 root root unconfined_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 08:57 nodescerts.pem lrwxrwxrwx. 1 root root unconfined_u:object_r:var_t:s0 8 Aug 12 09:03 policy_server.pem -> root.pem -rw-------. 1 root root unconfined_u:object_r:var_t:s0 53 Aug 12 09:01 policy_server_hash -rw-------. 1 root root unconfined_u:object_r:var_t:s0 2.0K Aug 12 09:03 root.pem
Debian 10:
drwxr-x--- 2 root rudder 4.0K Aug 12 10:00 . drwxr-xr-x 4 root root 4.0K Aug 12 09:51 .. -rw-r--r-- 1 root root 0 Nov 22 2017 .placeholder -rw-rw---- 1 root rudder 2.0K Aug 12 09:55 allnodescerts.pem -rw-r----- 1 root root 2.0K Aug 12 09:55 nodescerts.pem lrwxrwxrwx 1 root root 8 Aug 12 09:55 policy_server.pem -> root.pem -rw------- 1 root root 53 Aug 12 09:54 policy_server_hash -rw------- 1 root root 2.0K Aug 12 10:00 root.pem
Contexts in the policy are:
/var/rudder/lib/ssl/allnodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) /var/rudder/lib/ssl/nodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) /var/rudder/lib/ssl/root.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) /var/rudder/lib/ssl/policy_server.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
allnodescerts.pem
is written directly by the webapp, it needs to be readable byrudder-relayd
.nodescerts.pem
is copied and perms are setpermissions("${nodes_certs}", "640", "root", "0")
. It needs to be readable byhttpd
and (since 7.0)rudder-relayd
root.pem
andpolicy_server.pem
(introduced in 7.0) are copied by the agent and perms are setpermissions_dirs("${g.rudder_var}/lib/ssl/", "640", "root", "rudder")
. They need to be readable byrudder-relayd
.
Actions