search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 168 forks source link

Mark /etc/redis.conf as redis_conf_t #1961

Closed goganchic closed 10 months ago

goganchic commented 11 months ago

Redis requires permissions to modify /etc/redis.conf in order to perform failover, so it should be marked as redis_conf_t. Now only /etc/redis-sentinel.conf and /etc/redis/* are marked as redis_conf_t.

zpytela commented 11 months ago

@goganchic Is this a recent change? I can see only files in /etc/redis.

goganchic commented 11 months ago

@zpytela it was always here. I'd checked Oracle Linux 8 (Redis 5, Redis 6), Rocky 8 (Redis 5, Redis 6), and even CentOS 7 (Redis 3.2): all rpm packages has /etc/redis.conf config file.

When Redis works with Redis Sentinel and switchover occurs Redis process tries to change config file, but it has no permissions to do so:

14272:M 08 Dec 2023 17:31:19.267 # Connection with replica x.x.x.x:6379 lost.
14272:S 08 Dec 2023 17:32:51.869 * Before turning into a replica, using my own master parameters to synthesize a cached master: I may be able to synchronize with the new master with just a partial transfer.
14272:S 08 Dec 2023 17:32:51.869 * Connecting to MASTER x.x.x.x:6379
14272:S 08 Dec 2023 17:32:51.869 * MASTER <-> REPLICA sync started
14272:S 08 Dec 2023 17:32:51.869 * REPLICAOF x.x.x.x:6379 enabled (user request from 'id=101 addr=x.x.x.x:59133 laddr=x.x.x.x:6379 fd=95 name=sentinel-5e753afd-cmd age=92 idle=0 flags=x db=0 sub=0 psub=0 multi=4 qbuf=200 qbuf-free=40754 argv-mem=4 obl=45 oll=0 omem=0 tot-mem=61468 events=r cmd=exec user=default redir=-1')
14272:S 08 Dec 2023 17:32:51.870 # CONFIG REWRITE failed: Permission denied
zpytela commented 11 months ago

So it's rather the other way round, it used to be in /etc and it is so in RHEL up to RHEL 8, but not in later releases, neither in Fedora. Why should it be in rawhide then?

goganchic commented 10 months ago

@zpytela I thought that this repo is some sort of upstream for RHEL. If I am mistaken, fill free to close this ticket.

zpytela commented 10 months ago

@zpytela I thought that this repo is some sort of upstream for RHEL. If I am mistaken, fill free to close this ticket.

It is. The more I am surprised it is reported now, not years ago. I can create a PR to add the label.

zpytela commented 10 months ago

Resolved https://github.com/fedora-selinux/selinux-policy/pull/1980