Moved standard library paths bundle from common to agent type to simplify SELinux policy #3003
Conversation
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
4842cfe to
7a219d6
Compare
|
@cf-bottom jenkins please, thanks! |
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
7a219d6 to
d6a120d
Compare
|
Alright, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12094/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12094/ |
|
ubu24 hub had trouble installing, some problem with postgres starting. Looks like a flake. |
…n SELinux policy This should simplify selinux policy where we want the agent to have broad access but other components like serverd, execd, hub to have more limited access. The paths bundle checks for the existence of many commands and this operation can cause SELinux AVCs. The inventory bundle uses the curl command to see if the host is an AWS instance and if so collects some inventory from a well known API/IP. The cfe_internal_hub_vars needs to determine if php-fpm executable is present. As far as I can tell there isn't a need for the vars/classes defined in paths and inventory in components other than agent so this change should be OK. Ticket: ENT-12954 Changelog: title more common to agent fixes
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
d6a120d to
1cff95d
Compare
There was a problem hiding this comment.
Not sure how I feel about this one. My initial reaction is no. But, i think it's true that most use of paths is from cf-agent.
I need to ponder on it. I guess we will if we have not yet confirmed that we aren't using any of the paths in MPF stock and probably scour build modules as well.
Plausibly could add something, sort of like the extend paths capability to get certain paths into common availability if needed. I wonder, will this change negatively affect the ability of the paths bundle to be extended without modification?
Let's make some tests then for at least the extend case. We can run this through CI as well to try and catch troubles there. @cf-bottom jenkins please, thanks. |
|
Sure, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12892/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12892/ |
|
looks like ci tells us one var is trouble: I will look into it. |
3 participants
This should simplify selinux policy where we want the agent to have broad access but other components like serverd, execd, hub to have more limited access.
The paths bundle checks for the existence of many commands and this operation can cause SELinux AVCs.
Ticket: ENT-12954
Changelog: title