parent
3065d861b7
commit
3fb9e77377
@ -0,0 +1,27 @@
|
|||||||
|
commit 3bde240a2acc85e63e2f7813330713dd9b59386e
|
||||||
|
Author: Nathan Scott <nathans@redhat.com>
|
||||||
|
Date: Wed Mar 27 14:51:28 2024 +1100
|
||||||
|
|
||||||
|
pmproxy: disable Redis protocol proxying by default
|
||||||
|
|
||||||
|
If a redis-server has been locked down in terms of connections,
|
||||||
|
we want to prevent pmproxy from being allowed to send arbitrary
|
||||||
|
RESP commands to it.
|
||||||
|
|
||||||
|
This protocol proxying doesn't affect PCP functionality at all,
|
||||||
|
its more of a developer/sysadmin convenience when Redis used in
|
||||||
|
cluster mode (relatively uncommon compared to localhost mode).
|
||||||
|
|
||||||
|
diff --git a/src/pmproxy/pmproxy.conf b/src/pmproxy/pmproxy.conf
|
||||||
|
index e54891792e..4cbc1c96af 100644
|
||||||
|
--- a/src/pmproxy/pmproxy.conf
|
||||||
|
+++ b/src/pmproxy/pmproxy.conf
|
||||||
|
@@ -29,7 +29,7 @@ pcp.enabled = true
|
||||||
|
http.enabled = true
|
||||||
|
|
||||||
|
# support Redis protocol proxying
|
||||||
|
-redis.enabled = true
|
||||||
|
+redis.enabled = false
|
||||||
|
|
||||||
|
# support SSL/TLS protocol wrapping
|
||||||
|
secure.enabled = true
|
@ -0,0 +1,74 @@
|
|||||||
|
diff -Naurp pcp-5.3.7.orig/src/selinux/pcp.fc pcp-5.3.7/src/selinux/pcp.fc
|
||||||
|
--- pcp-5.3.7.orig/src/selinux/pcp.fc 2023-11-21 13:25:11.689247531 +1100
|
||||||
|
+++ pcp-5.3.7/src/selinux/pcp.fc 2023-11-21 14:12:48.080744232 +1100
|
||||||
|
@@ -1,36 +1,32 @@
|
||||||
|
-/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
|
||||||
|
-/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
|
||||||
|
-/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
|
||||||
|
-/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
|
||||||
|
-
|
||||||
|
/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
-/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
|
||||||
|
/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
-/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
|
||||||
|
-
|
||||||
|
|
||||||
|
/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
|
||||||
|
-/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
|
||||||
|
-/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/usr/libexec/pcp/bin/pmie_check -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
+/usr/libexec/pcp/bin/pmie_daily -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
+/usr/libexec/pcp/bin/pmie_farm -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
+/usr/libexec/pcp/bin/pmlogger_check -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
+/usr/libexec/pcp/bin/pmlogger_daily -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
+/usr/libexec/pcp/bin/pmlogger_farm -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/libexec/pcp/lib/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
|
||||||
|
/usr/libexec/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
|
||||||
|
/usr/libexec/pcp/lib/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
|
||||||
|
/usr/libexec/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
-/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
-
|
||||||
|
-/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
+/usr/share/pcp/lib/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
|
||||||
|
+/usr/share/pcp/lib/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
|
||||||
|
+/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
|
||||||
|
+/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0)
|
||||||
|
|
||||||
|
/var/lib/pcp/pmdas/.*/Install -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
|
||||||
|
-/var/lib/pcp/pmdas/.*/Remove -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
|
||||||
|
+/var/lib/pcp/pmdas/.*/Remove -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
|
||||||
|
/var/lib/pcp/pmdas/.*/Upgrade -- gen_context(system_u:object_r:pcp_plugin_exec_t,s0)
|
||||||
|
|
||||||
|
/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0)
|
||||||
|
|
||||||
|
/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
|
-/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
|
-/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0)
|
||||||
|
diff -Naurp pcp-5.3.7.orig/src/selinux/pcp.te pcp-5.3.7/src/selinux/pcp.te
|
||||||
|
--- pcp-5.3.7.orig/src/selinux/pcp.te 2023-11-21 13:25:11.690247528 +1100
|
||||||
|
+++ pcp-5.3.7/src/selinux/pcp.te 2023-11-21 14:13:03.855770809 +1100
|
||||||
|
@@ -279,6 +279,7 @@ allow pcp_pmlogger_t pcp_pmcd_t:unix_str
|
||||||
|
allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans;
|
||||||
|
+allow pcp_pmlogger_t ldconfig_exec_t:file { execute execute_no_trans };
|
||||||
|
|
||||||
|
dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace };
|
||||||
|
|
||||||
|
@@ -313,6 +314,10 @@ optional_policy(`
|
||||||
|
rpm_script_signal(pcp_pmlogger_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+optional_policy(`
|
||||||
|
+ userdom_setattr_user_home_content_files(pcp_pmlogger_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# pcp_plugin local policy
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue