Ccs patch from Dan Walsh.

2010-02-16 11:28:08 -05:00 · 2010-02-16 11:28:08 -05:00 · 3fb2b72c65
commit 3fb2b72c65
parent 0ab2c1eae9
2 changed files with 20 additions and 20 deletions
--- a/policy/modules/services/ccs.fc
+++ b/policy/modules/services/ccs.fc
@ -2,9 +2,5 @@
 /sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
-/usr/sbin/aisexec 	--	gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster/ccsd\.pid --	gen_context(system_u:object_r:ccs_var_run_t,s0)
-
+/var/run/cluster/ccsd\.sock -s	gen_context(system_u:object_r:ccs_var_run_t,s0)
 /var/lib/openais(/.*)?		gen_context(system_u:object_r:ccs_var_lib_t,s0)
 /var/run/cluster(/.*)?		gen_context(system_u:object_r:ccs_var_run_t,s0)
 /var/run/cman_.*	-s	gen_context(system_u:object_r:ccs_var_run_t,s0)
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@ -1,5 +1,5 @@
-policy_module(ccs, 1.4.0)
+policy_module(ccs, 1.4.1)
 ########################################
 #
@ -10,23 +10,21 @@ type ccs_t;
 type ccs_exec_t;
 init_daemon_domain(ccs_t, ccs_exec_t)
 # conf files
 type cluster_conf_t;
 files_type(cluster_conf_t)
 # tmp files
 type ccs_tmp_t;
 files_tmp_file(ccs_tmp_t)
-# log files
+type ccs_tmpfs_t;
-type ccs_var_log_t;
+files_tmpfs_file(ccs_tmpfs_t)
 logging_log_file(ccs_var_log_t)
 # var lib files
 type ccs_var_lib_t;
 logging_log_file(ccs_var_lib_t)
-# pid files
+type ccs_var_log_t;
 logging_log_file(ccs_var_log_t)
 type ccs_var_run_t;
 files_pid_file(ccs_var_run_t)
@ -35,7 +33,7 @@ files_pid_file(ccs_var_run_t)
 # ccs local policy
 #
-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
 dontaudit ccs_t self:process ptrace;
 allow ccs_t self:fifo_file rw_fifo_file_perms;
@ -55,17 +53,20 @@ manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
 manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
 files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
-# log files
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
 allow ccs_t ccs_var_log_t:dir setattr;
 logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
 # var lib files
 manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
 allow ccs_t ccs_var_log_t:dir setattr;
 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
 # pid file
 manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
 manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
@ -104,6 +105,9 @@ miscfiles_read_localization(ccs_t)
 sysnet_dns_name_resolve(ccs_t)
 userdom_manage_unpriv_user_shared_mem(ccs_t)
 userdom_manage_unpriv_user_semaphores(ccs_t)
 ifdef(`hide_broken_symptoms', `
 	corecmd_dontaudit_write_bin_dirs(ccs_t)
 	files_manage_isid_type_files(ccs_t)