Page MenuHomeDevCentral
Differential D1959

Improve SELinux policies for nginx in paas-docker role
ClosedPublic
Actions

Authored by dereckson on Oct 27 2018, 23:17.
Tags
None
Referenced Files
F10984792: D1959.diff
Fri, Aug 8, 12:13
F10977851: D1959.id4957.diff
Fri, Aug 8, 03:37
F10965692: D1959.id4951.diff
Thu, Aug 7, 14:12
Unknown Object (File)
Thu, Aug 7, 09:04
Unknown Object (File)
Thu, Aug 7, 07:11
Unknown Object (File)
Tue, Aug 5, 14:40
Unknown Object (File)
Tue, Aug 5, 04:56
Unknown Object (File)
Sat, Aug 2, 02:26
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T1364: SELinux policy for Let's encrypt directory
Commits
rOPS16533b4eaa5f: Improve SELinux policies for nginx in paas-docker role
Summary

Ref T1364

Test Plan

Test on Equatower

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
paas-docker-selinux-love-for-nginx (branched from master)
Build Status
Buildable 3051
Build 3299: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Oct 27 2018, 23:17
dereckson created this revision.
Harbormaster completed remote builds in B3051: Diff 4951.Oct 27 2018, 23:17
dereckson updated this revision to Diff 4952.Oct 27 2018, 23:30

build it, install it

Harbormaster completed remote builds in B3052: Diff 4952.Oct 27 2018, 23:30
dereckson added a comment.Oct 28 2018, 08:34
Equatower journal
Oct 28 08:32:32 equatower.nasqueron.org kernel: SELinux: 2048 avtab hash slots, 106961 rules.
Oct 28 08:32:32 equatower.nasqueron.org kernel: SELinux: 2048 avtab hash slots, 106961 rules.
Oct 28 08:32:33 equatower.nasqueron.org kernel: SELinux:  8 users, 14 roles, 5014 types, 311 bools, 1 sens, 1024 cats
Oct 28 08:32:33 equatower.nasqueron.org kernel: SELinux:  97 classes, 106961 rules
dereckson updated this revision to Diff 4953.Oct 28 2018, 08:56

Allow to read link files too (e.g. Let's encrypt certificate symlink)

Harbormaster completed remote builds in B3053: Diff 4953.Oct 28 2018, 08:56
dereckson planned changes to this revision.Oct 28 2018, 09:08
dereckson mentioned this in T1364: SELinux policy for Let's encrypt directory.
dereckson marked 2 inline comments as done.
dereckson added inline comments.
roles/paas-docker/wwwroot-502/init.sls
20

Not recursive: it only applies to /var/wwwroot-502 directory

dereckson updated this revision to Diff 4954.Oct 28 2018, 09:11

Apply SELinux policy a recursive way

Harbormaster completed remote builds in B3054: Diff 4954.Oct 28 2018, 09:11
dereckson updated this revision to Diff 4955.Oct 28 2018, 09:20

Use a regex to be recursive

Harbormaster completed remote builds in B3055: Diff 4955.Oct 28 2018, 09:20
dereckson accepted this revision.Oct 28 2018, 18:56
This revision is now accepted and ready to land.Oct 28 2018, 18:56
Closed by commit rOPS16533b4eaa5f: Improve SELinux policies for nginx in paas-docker role (authored by dereckson). · Explain WhyOct 28 2018, 18:56
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
roles/
paas-docker/
nginx/
files/
selinux/
24 lines
20 lines
wwwroot-502/
13 lines

Diff 4951

View Options

roles/paas-docker/nginx/files/selinux/nginx.te

Loading...
View Options

roles/paas-docker/nginx/selinux.sls

Loading...
View Options

roles/paas-docker/wwwroot-502/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator