Moved standard library paths bundle from common to agent type to simplify SELinux policy #3003
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
4842cfe to
7a219d6
Compare
|
@cf-bottom jenkins please, thanks! |
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
7a219d6 to
d6a120d
Compare
|
Alright, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/12094/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-12094/ |
|
ubu24 hub had trouble installing, some problem with postgres starting. Looks like a flake. |
…n SELinux policy This should simplify selinux policy where we want the agent to have broad access but other components like serverd, execd, hub to have more limited access. The paths bundle checks for the existence of many commands and this operation can cause SELinux AVCs. The inventory bundle uses the curl command to see if the host is an AWS instance and if so collects some inventory from a well known API/IP. The cfe_internal_hub_vars needs to determine if php-fpm executable is present. As far as I can tell there isn't a need for the vars/classes defined in paths and inventory in components other than agent so this change should be OK. Ticket: ENT-12954 Changelog: title more common to agent fixes
craigcomstock
force-pushed
the
ENT-12954/master
branch
from
d6a120d to
1cff95d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should simplify selinux policy where we want the agent to have broad access but other components like serverd, execd, hub to have more limited access.
The paths bundle checks for the existence of many commands and this operation can cause SELinux AVCs.
Ticket: ENT-12954
Changelog: title