From c6a292b9a5b1bc706b8eb22d18126dc46a77d3bd Mon Sep 17 00:00:00 2001 From: Dean Coakley Date: Mon, 27 Nov 2023 12:23:31 +0000 Subject: [PATCH 1/2] Restrict config apply directory permissions (#519) --- src/core/environment.go | 4 ++-- .../vendor/github.com/nginx/agent/v2/src/core/environment.go | 4 ++-- .../vendor/github.com/nginx/agent/v2/src/core/environment.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/core/environment.go b/src/core/environment.go index 528550b29..6c0f8bf89 100644 --- a/src/core/environment.go +++ b/src/core/environment.go @@ -286,8 +286,8 @@ func (env *EnvironmentType) WriteFile(backup ConfigApplyMarker, file *proto.File directory := filepath.Dir(fileFullPath) _, err := os.Stat(directory) if os.IsNotExist(err) { - log.Debugf("Creating directory %s with permissions 755", directory) - err = os.MkdirAll(directory, 0o755) + log.Debugf("Creating directory %s with permissions 750", directory) + err = os.MkdirAll(directory, 0o750) if err != nil { return err } diff --git a/test/integration/vendor/github.com/nginx/agent/v2/src/core/environment.go b/test/integration/vendor/github.com/nginx/agent/v2/src/core/environment.go index 528550b29..6c0f8bf89 100644 --- a/test/integration/vendor/github.com/nginx/agent/v2/src/core/environment.go +++ b/test/integration/vendor/github.com/nginx/agent/v2/src/core/environment.go @@ -286,8 +286,8 @@ func (env *EnvironmentType) WriteFile(backup ConfigApplyMarker, file *proto.File directory := filepath.Dir(fileFullPath) _, err := os.Stat(directory) if os.IsNotExist(err) { - log.Debugf("Creating directory %s with permissions 755", directory) - err = os.MkdirAll(directory, 0o755) + log.Debugf("Creating directory %s with permissions 750", directory) + err = os.MkdirAll(directory, 0o750) if err != nil { return err } diff --git a/test/performance/vendor/github.com/nginx/agent/v2/src/core/environment.go b/test/performance/vendor/github.com/nginx/agent/v2/src/core/environment.go index 528550b29..6c0f8bf89 100644 --- a/test/performance/vendor/github.com/nginx/agent/v2/src/core/environment.go +++ b/test/performance/vendor/github.com/nginx/agent/v2/src/core/environment.go @@ -286,8 +286,8 @@ func (env *EnvironmentType) WriteFile(backup ConfigApplyMarker, file *proto.File directory := filepath.Dir(fileFullPath) _, err := os.Stat(directory) if os.IsNotExist(err) { - log.Debugf("Creating directory %s with permissions 755", directory) - err = os.MkdirAll(directory, 0o755) + log.Debugf("Creating directory %s with permissions 750", directory) + err = os.MkdirAll(directory, 0o750) if err != nil { return err } From 33712be420e65a52d045ba4df290c97841397ef4 Mon Sep 17 00:00:00 2001 From: aphralG <108004222+aphralG@users.noreply.github.com> Date: Mon, 27 Nov 2023 13:38:45 +0000 Subject: [PATCH 2/2] update SELinux readme (#522) --- scripts/selinux/README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/scripts/selinux/README.md b/scripts/selinux/README.md index 340a7c29a..ccd61bf52 100644 --- a/scripts/selinux/README.md +++ b/scripts/selinux/README.md @@ -72,6 +72,30 @@ Install the policy by following the steps here [Install NGINX Agent Policy](#ins Then create a PR with the changes made to the `nginx_agent.te` and `nginx_agent.pp` files. ## Troubleshooting +### Updated Policy Not Working + +If after installing an updated policy the following command +``` +ps -efZ | grep nginx-agent +``` +shows nginx-agent is unconfined `system_u:system_r:unconfined_service_t` + +On a Centos 7 machine run the following command to generate a new policy +``` +sepolicy generate --init /usr/bin/nginx-agent +``` + +Replace the `nginx_agent.te` file on the Centos 7 machine with the `scripts/selinux/nginx_agent.te` file + +Run the following command on the Centos 7 machine to build the new policy +``` +sudo ./nginx_agent.sh +``` + +Make a PR with the changes to `nginx_agent.fc` `nginx_agent.if` `nginx_agent.pp` and `nginx_agent.te` + +**[NOTE: If you need to make additional changes to the policy, you will need to delete the generated files on the Centos 7 machine and repeat all the steps above again]** + ### Policy version does not match If running the command ```