Issue #564
closedWe have a dontaudit rule on httpd_t for rpm_var_lib_t:dir
Description
Description of problem:
We have a line [0] in our selinux policy that grants unnecessary and potentially dangerous privilege to the httpd process. This is very likely a holdover from Pulp 1.x days, and I believe it can be safely removed.
Version-Release number of selected component (if applicable):
2.4.0-1
How reproducible:
Every time
Steps to Reproduce:
1. Go to [0].
2. Look for a line that says dontaudit httpd_t rpm_var_lib_t:dir { getattr search open };
Actual results:
That line is there.
Expected results:
That line should not be there.
Additional info:
There might be a better way than looking at github to find out if we have that dontaudit rule, but I am not familiar enough with selinux yet to know. If there is a way to check on an installed system that there isn't a dontaudit rule, that would be a superior test.
[0] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.te#L31
+ This bug was cloned from Bugzilla Bug #1148999 +
Removes dontaudit rules from pulp-server SELinux policy
closes #564