Adding changes for SELINUX (#8279)

* Adding changes for SELINUX Signed-off-by: Yashvi Jain <[email protected]> * Removing lines Signed-off-by: Yashvi Jain <[email protected]> * Adding root user Signed-off-by: Yashvi Jain <[email protected]> * Changes in cli Signed-off-by: Yashvi Jain <[email protected]> * Changes in cli Signed-off-by: Yashvi Jain <[email protected]> * Adding comment to plan.sh Signed-off-by: Yashvi Jain <[email protected]> * Change Signed-off-by: Yashvi Jain <[email protected]> * Adding only user Signed-off-by: Yashvi Jain <[email protected]> --------- Signed-off-by: Yashvi Jain <[email protected]> Co-authored-by: Yashvi Jain <[email protected]>
chef · Oct 27, 2023 · d6b6aab · d6b6aab
1 parent a43cfb0
commit d6b6aab
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/components/compliance-service/firejail/secureexecprofile.profile b/components/compliance-service/firejail/secureexecprofile.profile
@@ -10,6 +10,7 @@ include disable-programs.inc    # user configuration for programs such as firefo
 ### If something goes wrong, this section is the first one to comment out.
 ### Instead, you'll have to relay on the basic blacklisting above.
 #private
+blacklist /root 
 blacklist /hab/cache
 blacklist /hab/etc
 blacklist /hab/svc
@@ -58,6 +59,7 @@ blacklist /hab/pkgs/chef/pg-sidecar-service
 blacklist /hab/pkgs/chef/user-settings-service
 read-only /hab/pkgs/chef/inspec
 
+
 ### Filesystem Whitelisting ###
 include whitelist-run-common.inc
 include whitelist-runuser-common.inc

diff --git a/components/compliance-service/firejail/secureprofile.profile b/components/compliance-service/firejail/secureprofile.profile
@@ -9,7 +9,8 @@ include disable-programs.inc    # user configuration for programs such as firefo
 ### Home Directory Whitelisting ###
 ### If something goes wrong, this section is the first one to comment out.
 ### Instead, you'll have to relay on the basic blacklisting above.
-#private 
+#private
+blacklist /root 
 blacklist /hab/cache
 blacklist /hab/etc
 blacklist /hab/svc
@@ -73,6 +74,7 @@ netfilter
 #nogroups       # disable supplementary user groups
 #noinput        # disable input devices
 nonewprivs
+
 noroot
 #notv   # disable DVB TV devices
 #nou2f  # disable U2F devices

diff --git a/components/compliance-service/habitat/plan.sh b/components/compliance-service/habitat/plan.sh
@@ -30,7 +30,8 @@ pkg_binds_optional=(
   [authn-service]="port"
   [notifications-service]="port"
 )
-
+#Adding it to use compliance with firejail
+pkg_svc_user=root
 inspec_release="chef/inspec/4.56.22/20220517052126"
 pkg_deps=(
   core/coreutils
@@ -87,7 +88,6 @@ do_install() {
   chown root: "${pkg_prefix}/bin/inspec_runner"
   chmod u+s "${pkg_prefix}/bin/inspec_runner"
 
-
   mkdir -p "${pkg_prefix}/data/firejail"
 
   cp -r firejail/* "${pkg_prefix}/data/firejail"
@@ -102,3 +102,4 @@ do_strip() {
   fi
 }
 
+