Fixes for FR policy fixing up SELinux context of ~cftransport/.ssh #2816
Conversation
And add a comment describing the meaning of the logical expression. Ticket: ENT-11136 Changelog: None
Ticket: ENT-11136
Changelog: Federated reporting policy now properly fixes SELinux
context of the ~cftransport/.ssh directory and its
contents.
Ticket: ENT-11136 Changelog: None
We only run a single command, no need to use shell. Also, reformat the policy a bit for better readability. Ticket: ENT-11136 Changelog: None
|
Manually tested to verify that it fixes issues on a CentOS 7 hub enabled as a feeder. Really strange it hasn't been breaking FR tests. |
It just requires two agent runs to properly do the full setup. #2817 adds a more complicated change making sure a single agent run is enough, but we may want to stick to this simpler change for backports. |
vpodzime
added
the
cherry-pick?
| expression => not(returnszero("$(default:paths.semanage) fcontext -l | grep '$(home)/.ssh(/.*)?'", "useshell")), | ||
| if => fileexists("$(home)"); | ||
| enabled.selinux_enabled:: | ||
| # For all the files below it must be true that if they exist they need |
There was a problem hiding this comment.
I appreciate your explanation here but have to say this block has become rather unreadable. I wonder if we could do better? The logic reads to me as correct after some time looking at it.
There was a problem hiding this comment.
Well, I know how to make this a lot nicer in Python. Or any language with functions and loops, really. But no clue how to make it nicer in CFEngine policy. Maybe @nickanderson can help polish this later.
There was a problem hiding this comment.
We could use a list of files and then create an array with those files as keys and the results of the SELinux labels as values and then search for a false value in getindices() on the array. But that's similarly ugly, AFAICT.
craigcomstock
removed
the
cherry-pick?
2 participants
Multiple issues discovered and fixed. Plus one piece of polishing.