URL: https://github.com/freeipa/freeipa/pull/5362 Author: abbra Title: #5362: [Backport][ipa-4-9] selinux: Fix/waive issues reported by SELint Action: opened
PR body: """ This PR was opened automatically because PR #5348 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5362/head:pr5362 git checkout pr5362
From 758ab53e7ad28a2c959216d044c82a4f0cb8ad96 Mon Sep 17 00:00:00 2001 From: Vit Mojzis <vmoj...@redhat.com> Date: Mon, 19 Oct 2020 18:23:15 +0200 Subject: [PATCH 1/2] selinux: Fix/waive issues reported by SELint - order permissions alphabeticaly - do not use semicollon after interfaces - gen_require should only be used in interfaces -- to resolve this issue, corresponding changes have to be made in distribution policy instead of ipa module - disabling check --- selinux/ipa.te | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index e658c175f33..57329dd4b64 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -138,9 +138,8 @@ optional_policy(` # ipa-helper local policy # - -allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown }; -seutil_read_config(ipa_helper_t); +allow ipa_helper_t self:capability { chown dac_override dac_read_search net_admin }; +seutil_read_config(ipa_helper_t) #kernel bug dontaudit ipa_helper_t self:capability2 block_suspend; @@ -414,7 +413,7 @@ optional_policy(` ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type httpd_t; ') ipa_custodia_stream_connect(httpd_t) @@ -438,7 +437,7 @@ optional_policy(` ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type tomcat_t; ') can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t) @@ -446,7 +445,7 @@ optional_policy(` ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type devlog_t; ') @@ -459,7 +458,7 @@ optional_policy(` ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type tomcat_t; ') kerberos_read_config(tomcat_t) @@ -467,14 +466,14 @@ optional_policy(` ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type node_t; ') allow ipa_custodia_t node_t:tcp_socket node_bind; ') optional_policy(` - gen_require(` + gen_require(` #selint-disable:S-001 type pki_tomcat_cert_t; ') allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; From d6386836896086234c5d8f0e15a24eb802d0ce14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com> Date: Wed, 16 Dec 2020 10:44:44 +0100 Subject: [PATCH 2/2] set SELinux to Enforcing in gating.xml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Cami <fc...@redhat.com> --- ipatests/prci_definitions/gating.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index 375d8968167..7488d32000b 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -41,6 +41,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_installation.py::TestInstallMaster template: *ci-master-latest @@ -53,6 +54,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_simple_replication.py template: *ci-master-latest @@ -65,6 +67,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull template: *ci-master-latest @@ -77,6 +80,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestExternalCAConstraints template: *ci-master-latest @@ -89,6 +93,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall template: *ci-master-latest @@ -101,6 +106,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_external_ca.py::TestExternalCAProfileScenarios template: *ci-master-latest @@ -113,6 +119,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_topologies.py template: *ci-master-latest @@ -125,6 +132,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_sudo.py template: *ci-master-latest @@ -137,6 +145,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_commands.py template: *ci-master-latest @@ -149,6 +158,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_kerberos_flags.py template: *ci-master-latest @@ -161,6 +171,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_forced_client_reenrollment.py template: *ci-master-latest @@ -173,6 +184,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_advise.py template: *ci-master-latest @@ -185,6 +197,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_testconfig.py template: *ci-master-latest @@ -197,6 +210,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_service_permissions.py template: *ci-master-latest @@ -209,6 +223,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_netgroup.py template: *ci-master-latest @@ -221,6 +236,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_authselect.py template: *ci-master-latest @@ -233,6 +249,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication template: *ci-master-latest @@ -245,6 +262,7 @@ jobs: # job: # class: RunPytest # args: + selinux_enforcing: True # build_url: '{fedora-latest/build_url}' # test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst # template: *ci-master-latest @@ -257,6 +275,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_membermanager.py template: *ci-master-latest @@ -269,6 +288,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_adtrust_install.py template: *ci-master-latest @@ -281,6 +301,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_cert.py template: *ci-master-latest @@ -293,6 +314,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_upgrade.py template: *ci-master-latest @@ -305,6 +327,7 @@ jobs: job: class: RunPytest args: + selinux_enforcing: True build_url: '{fedora-latest/build_url}' test_suite: test_integration/test_acme.py template: *ci-master-latest
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org