Actions
Bug #6598
closed
User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
User story #2882: Rudder should be SELinux compliant
rudder selinux module is not working
Status:
Released
Priority:
1 (highest)
Assignee:
Category:
Packaging
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:
Description
When rudder-webapp.pp is installed as selinux module we get an error (at least on redhat6):
semodule -i /opt/rudder/share/selinux/rudder-webapp.pp libsepol.module_package_read_offsets: wrong magic number for module package: expected 0xf97cff8f, got 0x75646f6d libsemanage.parse_module_headers: Could not parse module data.
checkmodule -b /opt/rudder/share/selinux/rudder-webapp.pp checkmodule: loading policy configuration from /opt/rudder/share/selinux/rudder-webapp.pp libsepol.policydb_read: policydb magic number 0x75646f6d does not match expected magic number 0xf97cff8c or 0xf97cff8d checkmodule: error(s) encountered while parsing configuration
I can create a valid pp file for selinux by creating a .te file and transform it via a selinux makefile
my rudder-webapp.te file:
policy_module(rudder-webapp, 1.0) gen_require(` type httpd_t; type var_t; type http_cache_port_t; class tcp_socket name_connect; class file getattr; ') allow httpd_t http_cache_port_t:tcp_socket name_connect;
and running the following command:
make -f /usr/share/selinux/devel/Makefile rudder-webapp.pp
This generates a rudder-webapp.pp file that i can install with semodule.
Benoit, Matthieu, Alexis, do you have any hindsight on this?
Updated by 
Updated by
Actions