Feature #4113
open
Restrict Foreman not to be able to write to /usr/share/foreman
Added by Lukas Zapletal over 10 years ago.
Updated almost 10 years ago.
Description
Currently Foreman is allowed to write to foreman_lib_t:
read_files_pattern(httpd_t, foreman_lib_t, foreman_lib_t)
manage_files_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
We should tighten this and also make sure that public/avatar directory is in different domain (writable).
Also, we are not explicitly setting file contexts for /usr/share/foreman in foreman.fc. We should do that, users are not able to fix file policies.
And this line is twice:
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
- Target version set to 1.9.0
- Target version changed from 1.9.0 to 1.8.4
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
- Target version changed from 1.8.4 to 1.8.3
I will implement this change POST 1.5 release, because this refactoring can bring some issues.
- Target version deleted (
1.8.3)
- translation missing: en.field_release set to 10
- Status changed from Assigned to New
- Priority changed from Normal to Low
- translation missing: en.field_release deleted (
10)
Also available in: Atom
PDF
Updated by 
Updated by Anonymous 
Updated by