Actions
Feature #4113
open
Restrict Foreman not to be able to write to /usr/share/foreman
Description
Currently Foreman is allowed to write to foreman_lib_t:
read_files_pattern(httpd_t, foreman_lib_t, foreman_lib_t)
manage_files_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)We should tighten this and also make sure that public/avatar directory is in different domain (writable).
Updated by Lukas Zapletal over 10 years ago
Also, we are not explicitly setting file contexts for /usr/share/foreman in foreman.fc. We should do that, users are not able to fix file policies.
And this line is twice:
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t) manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
Updated by Anonymous about 10 years ago
- Target version changed from 1.9.0 to 1.8.4
Updated by Lukas Zapletal about 10 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
Updated by Anonymous about 10 years ago
- Target version changed from 1.8.4 to 1.8.3
Updated by Lukas Zapletal about 10 years ago
I will implement this change POST 1.5 release, because this refactoring can bring some issues.
Updated by Ohad Levy almost 10 years ago
- translation missing: en.field_release set to 10
Updated by Lukas Zapletal almost 10 years ago
- Status changed from Assigned to New
- Priority changed from Normal to Low
- translation missing: en.field_release deleted (
10)
Actions