Project

General

Profile

Actions

Bug #6598

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

User story #2882: Rudder should be SELinux compliant

rudder selinux module is not working

Added by Vincent MEMBRÉ over 9 years ago. Updated over 9 years ago.

Status:
Released
Priority:
1 (highest)
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

When rudder-webapp.pp is installed as selinux module we get an error (at least on redhat6):

semodule -i /opt/rudder/share/selinux/rudder-webapp.pp
libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x75646f6d
libsemanage.parse_module_headers: Could not parse module data.
checkmodule -b  /opt/rudder/share/selinux/rudder-webapp.pp 
checkmodule:  loading policy configuration from /opt/rudder/share/selinux/rudder-webapp.pp
libsepol.policydb_read: policydb magic number 0x75646f6d does not match expected magic number 0xf97cff8c or 0xf97cff8d
checkmodule:  error(s) encountered while parsing configuration

I can create a valid pp file for selinux by creating a .te file and transform it via a selinux makefile

my rudder-webapp.te file:

policy_module(rudder-webapp, 1.0)

gen_require(`
  type httpd_t;
  type var_t;
  type http_cache_port_t;
  class tcp_socket name_connect;
  class file getattr;
')

allow httpd_t http_cache_port_t:tcp_socket name_connect;

and running the following command:

make -f /usr/share/selinux/devel/Makefile rudder-webapp.pp

This generates a rudder-webapp.pp file that i can install with semodule.

Benoit, Matthieu, Alexis, do you have any hindsight on this?

Actions

Also available in: Atom PDF