- Add policy for grindengine MPI jobs

2012-02-07 18:18:07 +01:00 · 2012-02-07 18:18:07 +01:00 · 81894dfe50
commit 81894dfe50
parent 618ef7160b
3 changed files with 267 additions and 34 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -2480,3 +2480,10 @@ cloudform = module
 #  policy for obex-data-server 
 #
 obex = module
 # Layer: services
 # Module: sge
 # 
 #  policy for grindengine MPI jobs
 #
 sge = module
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -2148,10 +2148,10 @@ index 0000000..bd83148
 +## <summary>No Interfaces</summary>
 diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
 new file mode 100644
-index 0000000..14d8b32
+index 0000000..75c0f07
 --- /dev/null
 +++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,57 @@
 +policy_module(permissivedomains,17)
 +
 +
@ -2196,6 +2196,19 @@ index 0000000..14d8b32
 +
 +    permissive obex_t;
 +')
 +
 +optional_policy(`
 +    gen_require(`
 +        type sge_shepherd_t;
 +		type sge_execd_t;
 +		type sge_job_t;
 +    ')
 +
 +	permissive sge_shepherd_t;
 +	permissive sge_execd_t;
 +	permissive sge_job_t;
 +
 +')
 diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
 index db46387..b665b08 100644
 --- a/policy/modules/admin/portage.fc
@ -62067,6 +62080,198 @@ index 086cd5f..6e66656 100644
 optional_policy(`
 	rpm_signull(setroubleshoot_fixit_t)
 	rpm_read_db(setroubleshoot_fixit_t)
 diff --git a/policy/modules/services/sge.fc b/policy/modules/services/sge.fc
 new file mode 100644
 index 0000000..160ddc2
 --- /dev/null
 +++ b/policy/modules/services/sge.fc
@@ -0,0 +1,6 @@
 +
 +/usr/bin/sge_execd	--	gen_context(system_u:object_r:sge_execd_exec_t,s0)
 +/usr/bin/sge_shepherd  --  gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
 +
 +/var/spool/gridengine(/.*)?       gen_context(system_u:object_r:sge_spool_t,s0)
 +
 diff --git a/policy/modules/services/sge.if b/policy/modules/services/sge.if
 new file mode 100644
 index 0000000..839f1b3
 --- /dev/null
 +++ b/policy/modules/services/sge.if
@@ -0,0 +1,2 @@
 +## <summary>Policy for gridengine MPI jobs</summary>
 +
 diff --git a/policy/modules/services/sge.te b/policy/modules/services/sge.te
 new file mode 100644
 index 0000000..3a28b77
 --- /dev/null
 +++ b/policy/modules/services/sge.te
@@ -0,0 +1,166 @@
 +policy_module(sge, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +## <desc>
 +## <p>
 +## Allow sge to access nfs file systems.
 +## </p>
 +## </desc>
 +gen_tunable(sge_use_nfs, false)
 +
 +attribute sge_domain;
 +
 +type sge_execd_t, sge_domain;
 +type sge_execd_exec_t;
 +init_daemon_domain(sge_execd_t, sge_execd_exec_t)
 +
 +type sge_spool_t;
 +files_type(sge_spool_t)
 +
 +type sge_tmp_t;
 +files_tmp_file(sge_tmp_t)
 +
 +type sge_shepherd_t, sge_domain;
 +type sge_shepherd_exec_t;
 +application_domain(sge_shepherd_t, sge_shepherd_exec_t)
 +role system_r types sge_shepherd_t;
 +
 +type sge_job_t, sge_domain;
 +type sge_job_exec_t;
 +application_domain(sge_job_t, sge_job_exec_t)
 +corecmd_shell_entry_type(sge_job_t)
 +role system_r types sge_job_t;
 +
 +#######################################
 +#
 +# sge_execd local policy
 +#
 +
 +allow sge_execd_t self:capability { dac_override setuid chown setgid };
 +allow sge_execd_t self:process { setsched signal setpgid };
 +
 +allow sge_execd_t sge_shepherd_t:process signal;
 +
 +kernel_read_kernel_sysctls(sge_execd_t)
 +
 +dev_read_sysfs(sge_execd_t)
 +
 +files_exec_usr_files(sge_execd_t)
 +files_search_spool(sge_execd_t)
 +
 +init_read_utmp(sge_execd_t)
 +
 +######################################
 +#
 +# sge_shepherd local policy
 +#
 +
 +allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
 +allow sge_shepherd_t self:process signal_perms;
 +
 +domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
 +
 +kernel_read_sysctl(sge_shepherd_t)
 +kernel_read_kernel_sysctls(sge_shepherd_t)
 +
 +dev_read_sysfs(sge_shepherd_t)
 +
 +fs_getattr_all_fs(sge_shepherd_t)
 +
 +optional_policy(`
 +	mta_send_mail(sge_shepherd_t)
 +')
 +
 +#####################################
 +#
 +# sge_job local policy
 +#
 +
 +allow sge_shepherd_t sge_job_t:process signal_perms;
 +
 +corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
 +
 +kernel_read_kernel_sysctls(sge_job_t)
 +
 +term_use_all_terms(sge_job_t)
 +
 +optional_policy(`
 +	ssh_basic_client_template(sge_job, sge_job_t, system_r)
 +	ssh_domtrans(sge_job_t)
 +
 +	allow sge_job_t sge_job_ssh_t:process sigkill;
 +
 +	xserver_exec_xauth(sge_job_ssh_t)
 +
 +        tunable_policy(`sge_use_nfs',`
 +            fs_list_auto_mountpoints(sge_job_ssh_t)
 +            fs_manage_nfs_dirs(sge_job_ssh_t)
 +            fs_manage_nfs_files(sge_job_ssh_t)
 +            fs_read_nfs_symlinks(sge_job_ssh_t)
 +        ')
 +	')
 +
 +optional_policy(`
 +	xserver_domtrans_xauth(sge_job_t)
 +')
 +
 +optional_policy(`
 +	unconfined_domain(sge_job_t)
 +')
 +
 +#####################################
 +#
 +# sge_domain local policy
 +#
 +
 +allow sge_domain self:fifo_file rw_fifo_file_perms;
 +allow sge_domain self:tcp_socket create_stream_socket_perms;
 +
 +manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
 +manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
 +manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
 +
 +manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
 +manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
 +files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
 +
 +kernel_read_network_state(sge_domain)
 +kernel_read_system_state(sge_domain)
 +
 +corecmd_exec_bin(sge_domain)
 +corecmd_exec_shell(sge_domain)
 +
 +domain_read_all_domains_state(sge_domain)
 +
 +files_read_etc_files(sge_domain)
 +files_read_usr_files(sge_domain)
 +
 +dev_read_urand(sge_domain)
 +
 +logging_send_syslog_msg(sge_domain)
 +
 +miscfiles_read_localization(sge_domain)
 +
 +tunable_policy(`sge_use_nfs',`
 +    fs_list_auto_mountpoints(sge_domain)
 +	fs_manage_nfs_dirs(sge_domain)
 +	fs_manage_nfs_files(sge_domain)
 +	fs_read_nfs_symlinks(sge_domain)
 +	fs_exec_nfs_files(sge_domain)
 +')
 +
 +optional_policy(`
 +	sysnet_dns_name_resolve(sge_domain)
 +')
 +
 +optional_policy(`
 +    hostname_exec(sge_domain)
 +')
 +
 +optional_policy(`
 +	nslcd_stream_connect(sge_domain)
 +')
 diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
 index e5e72fd..92eecec 100644
 --- a/policy/modules/services/slrnpull.te
@ -68104,7 +68309,7 @@ index 4966c94..cb2e1a3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..51e7627 100644
+index 130ced9..86143cf 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -68404,10 +68609,30 @@ index 130ced9..51e7627 100644
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +606,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +604,42 @@ interface(`xserver_domtrans_xauth',`
 	domtrans_pattern($1, xauth_exec_t, xauth_t)
 ')
- ########################################
+######################################
- ## <summary>
+## <summary>
 +##  Allow exec of Xauthority program..
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
 +## </param>
 +#
 +interface(`xserver_exec_xauth',`
 +	gen_require(`
 +		type xauth_t, xauth_exec_t;
 +	')
 +
 +	can_exec($1, xauth_exec_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Dontaudit exec of Xauthority program.
 +## </summary>
 +## <param name="domain">
@ -68424,12 +68649,10 @@ index 130ced9..51e7627 100644
 +	dontaudit $1 xauth_exec_t:file execute;
 +')
 +
-+########################################
+ ########################################
-+## <summary>
+ ## <summary>
 ##	Create a Xauthority file in the user home directory.
- ## </summary>
+@@ -598,6 +691,7 @@ interface(`xserver_read_user_xauth',`
 ## <param name="domain">
@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
 	allow $1 xauth_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
@ -68437,7 +68660,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +709,7 @@ interface(`xserver_setattr_console_pipes',`
 		type xconsole_device_t;
 	')
@ -68446,7 +68669,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -638,6 +714,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +732,25 @@ interface(`xserver_rw_console',`
 ########################################
 ## <summary>
@ -68472,7 +68695,7 @@ index 130ced9..51e7627 100644
 ##	Use file descriptors for xdm.
 ## </summary>
 ## <param name="domain">
-@@ -651,7 +746,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +764,7 @@ interface(`xserver_use_xdm_fds',`
 		type xdm_t;
 	')
@ -68481,7 +68704,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -670,7 +765,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +783,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
 		type xdm_t;
 	')
@ -68490,7 +68713,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -688,7 +783,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +801,7 @@ interface(`xserver_rw_xdm_pipes',`
 		type xdm_t;
 	')
@ -68499,7 +68722,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -703,12 +798,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +816,11 @@ interface(`xserver_rw_xdm_pipes',`
 ## </param>
 #
 interface(`xserver_dontaudit_rw_xdm_pipes',`
@ -68513,7 +68736,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -724,11 +818,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +836,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 #
 interface(`xserver_stream_connect_xdm',`
 	gen_require(`
@ -68547,7 +68770,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -752,6 +866,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +884,25 @@ interface(`xserver_read_xdm_rw_config',`
 ########################################
 ## <summary>
@ -68573,7 +68796,7 @@ index 130ced9..51e7627 100644
 ##	Set the attributes of XDM temporary directories.
 ## </summary>
 ## <param name="domain">
-@@ -765,7 +898,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +916,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
 		type xdm_tmp_t;
 	')
@ -68582,7 +68805,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -805,7 +938,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +956,26 @@ interface(`xserver_read_xdm_pid',`
 	')
 	files_search_pids($1)
@ -68610,7 +68833,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -828,6 +980,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +998,24 @@ interface(`xserver_read_xdm_lib_files',`
 ########################################
 ## <summary>
@ -68635,7 +68858,7 @@ index 130ced9..51e7627 100644
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -897,7 +1067,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1085,7 @@ interface(`xserver_getattr_log',`
 	')
 	logging_search_logs($1)
@ -68644,7 +68867,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -916,7 +1086,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1104,7 @@ interface(`xserver_dontaudit_write_log',`
 		type xserver_log_t;
 	')
@ -68653,7 +68876,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -963,6 +1133,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1151,45 @@ interface(`xserver_read_xkb_libs',`
 ########################################
 ## <summary>
@ -68699,7 +68922,7 @@ index 130ced9..51e7627 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -976,7 +1185,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1203,7 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
@ -68708,7 +68931,7 @@ index 130ced9..51e7627 100644
 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
-@@ -1038,6 +1247,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1265,42 @@ interface(`xserver_manage_xdm_tmp_files',`
 ########################################
 ## <summary>
@ -68751,7 +68974,7 @@ index 130ced9..51e7627 100644
 ##	Do not audit attempts to get the attributes of
 ##	xdm temporary named sockets.
 ## </summary>
-@@ -1052,7 +1297,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1315,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
@ -68760,7 +68983,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -1070,8 +1315,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1333,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
@ -68772,7 +68995,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -1185,6 +1432,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1450,26 @@ interface(`xserver_stream_connect',`
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -68799,7 +69022,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -1210,7 +1477,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1495,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -68808,7 +69031,7 @@ index 130ced9..51e7627 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1220,13 +1487,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1505,23 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -68833,7 +69056,7 @@ index 130ced9..51e7627 100644
 ')
 ########################################
-@@ -1243,10 +1520,462 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1538,462 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 83%{?dist}
+Release: 84%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -483,6 +483,9 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
 - Add policy for grindengine MPI jobs
 * Mon Feb 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-83
 - Add new sysadm_secadm.pp module
 	* contains secadm definition for sysadm_t