Page MenuHomeDevCentral
Differential D1959

Improve SELinux policies for nginx in paas-docker role
ClosedPublic
Actions

Authored by dereckson on Oct 27 2018, 23:17.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Sep 2, 08:08
Unknown Object (File)
Tue, Sep 2, 00:19
Unknown Object (File)
Mon, Sep 1, 08:36
Unknown Object (File)
Sat, Aug 30, 03:20
Unknown Object (File)
Thu, Aug 28, 13:43
Unknown Object (File)
Tue, Aug 26, 05:21
Unknown Object (File)
Mon, Aug 25, 08:15
Unknown Object (File)
Tue, Aug 19, 01:42
View All Files
Subscribers
None

Details

Reviewers
dereckson
Maniphest Tasks
T1364: SELinux policy for Let's encrypt directory
Commits
rOPS16533b4eaa5f: Improve SELinux policies for nginx in paas-docker role
Summary

Ref T1364

Test Plan

Test on Equatower

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Oct 27 2018, 23:17
dereckson created this revision.
Harbormaster completed remote builds in B3051: Diff 4951.Oct 27 2018, 23:17
dereckson updated this revision to Diff 4952.Oct 27 2018, 23:30

build it, install it

Harbormaster completed remote builds in B3052: Diff 4952.Oct 27 2018, 23:30
dereckson added a comment.Oct 28 2018, 08:34
Equatower journal
Oct 28 08:32:32 equatower.nasqueron.org kernel: SELinux: 2048 avtab hash slots, 106961 rules.
Oct 28 08:32:32 equatower.nasqueron.org kernel: SELinux: 2048 avtab hash slots, 106961 rules.
Oct 28 08:32:33 equatower.nasqueron.org kernel: SELinux:  8 users, 14 roles, 5014 types, 311 bools, 1 sens, 1024 cats
Oct 28 08:32:33 equatower.nasqueron.org kernel: SELinux:  97 classes, 106961 rules
dereckson updated this revision to Diff 4953.Oct 28 2018, 08:56

Allow to read link files too (e.g. Let's encrypt certificate symlink)

Harbormaster completed remote builds in B3053: Diff 4953.Oct 28 2018, 08:56
dereckson planned changes to this revision.Oct 28 2018, 09:08
dereckson mentioned this in T1364: SELinux policy for Let's encrypt directory.
dereckson marked 2 inline comments as done.
dereckson added inline comments.
roles/paas-docker/wwwroot-502/init.sls
20

Not recursive: it only applies to /var/wwwroot-502 directory

dereckson updated this revision to Diff 4954.Oct 28 2018, 09:11

Apply SELinux policy a recursive way

Harbormaster completed remote builds in B3054: Diff 4954.Oct 28 2018, 09:11
dereckson updated this revision to Diff 4955.Oct 28 2018, 09:20

Use a regex to be recursive

Harbormaster completed remote builds in B3055: Diff 4955.Oct 28 2018, 09:20
dereckson accepted this revision.Oct 28 2018, 18:56
This revision is now accepted and ready to land.Oct 28 2018, 18:56
Closed by commit rOPS16533b4eaa5f: Improve SELinux policies for nginx in paas-docker role (authored by dereckson). · Explain WhyOct 28 2018, 18:56
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
roles/
paas-docker/
nginx/
files/
selinux/
26 lines
27 lines
wwwroot-502/
14 lines

Diff 4957

View Options

roles/paas-docker/nginx/files/selinux/nginx.te

Loading...
View Options

roles/paas-docker/nginx/selinux.sls

Loading...
View Options

roles/paas-docker/wwwroot-502/init.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator