Hey everyone,
I wonder if I could copy an selinux subject (processes / httpd) to a
local named one. So that it gets the same configuration as the source
e.g.:
httpd_exec_t -> httpd_microservice_exec_t
The problem here: Some http microservices written in golang do get the
same label as apache httpd (this is intentional for having a confined
service):
# ls -laZ /usr/libexec/myservice
-rwxr-xr-x. 1 root root system_u:object_r:httpd_exec_t:s0 5168952 22.
Jul 17:11 /usr/libexec/myservice
Unfortunately, these webservices need access to /proc (e.g. for
enumerating the sending queue via /proc/sys/net/core/somaxconn).
Instead installing a module that allows this for all "httpd_t"
allow httpd_t sysctl_net_t:file read;
I would like to have a custom configuration thats a duplication of the
http_t one. The module would then only allow read access for
applications that really need it.
Is that possible? Any other straight approach available?
--
Thanks
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
