Refs #30803: Allow Apache to connect to Unix socket

theforeman · Oct 13, 2020 · 7a8c5ab · 7a8c5ab
1 parent fd56e5c
commit 7a8c5ab
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/foreman-selinux-relabel b/foreman-selinux-relabel
@@ -5,6 +5,7 @@
   /var/lib/foreman \
   /var/run/foreman \
   /run/foreman \
+  /run/foreman.sock \
   /var/log/foreman \
   /etc/foreman \
   /etc/puppet/node.rb \

diff --git a/foreman.fc b/foreman.fc
@@ -30,6 +30,7 @@
 /var/log/foreman(/.*)?                              gen_context(system_u:object_r:foreman_log_t,s0)
 
 /var/run/foreman(/.*)?                              gen_context(system_u:object_r:foreman_var_run_t,s0)
+/run/foreman\.sock                              --  gen_context(system_u:object_r:foreman_var_run_t,s0)
 
 /usr/share/foreman/.ssh(/.*)?                       gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/share/foreman/extras/noVNC/websockify\.py      gen_context(system_u:object_r:websockify_exec_t,s0)

diff --git a/foreman.te b/foreman.te
@@ -186,6 +186,9 @@ init_daemon_domain(foreman_rails_t, foreman_rails_exec_t)
 # https://community.theforeman.org/t/foreman-nightly-rpm-pipeline-611-failed/19179
 allow foreman_rails_t unconfined_service_t:tcp_socket { connected_stream_socket_perms };
 
+# Socket and PID files transition
+files_pid_filetrans(foreman_rails_t, foreman_var_run_t, { file dir sock_file })
+
 # Generic domain rules
 kerberos_read_config(foreman_rails_t)
 auth_read_passwd(foreman_rails_t)
@@ -536,6 +539,10 @@ optional_policy(`
 read_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)
 read_lnk_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)
 
+# Allow Apache access to the Unix socket
+files_search_pids(httpd_t)
+stream_connect_pattern(httpd_t, foreman_var_run_t, foreman_var_run_t, foreman_rails_t)
+
 ##############################################
 #
 # Passenger/httpd temporary policy