Add policies for nova openstack
This commit is contained in:
parent
4dba2eb895
commit
a56e13e7b8
675
policy-F16.patch
675
policy-F16.patch
@ -1891,10 +1891,10 @@ index 0000000..bd83148
|
|||||||
+## <summary>No Interfaces</summary>
|
+## <summary>No Interfaces</summary>
|
||||||
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
|
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..f0dbe88
|
index 0000000..7da376a
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/admin/permissivedomains.te
|
+++ b/policy/modules/admin/permissivedomains.te
|
||||||
@@ -0,0 +1,276 @@
|
@@ -0,0 +1,310 @@
|
||||||
+policy_module(permissivedomains,16)
|
+policy_module(permissivedomains,16)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -2059,6 +2059,40 @@ index 0000000..f0dbe88
|
|||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ gen_require(`
|
+ gen_require(`
|
||||||
|
+ type nova_ajax_t;
|
||||||
|
+ type nova_api_t;
|
||||||
|
+ type nova_compute_t;
|
||||||
|
+ type nova_direct_t;
|
||||||
|
+ type nova_network_t;
|
||||||
|
+ type nova_objectstore_t;
|
||||||
|
+ type nova_scheduler_t;
|
||||||
|
+ type nova_vncproxy_t;
|
||||||
|
+ type nova_volume_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ permissive nova_ajax_t;
|
||||||
|
+ permissive nova_api_t;
|
||||||
|
+ permissive nova_compute_t;
|
||||||
|
+ permissive nova_direct_t;
|
||||||
|
+ permissive nova_network_t;
|
||||||
|
+ permissive nova_objectstore_t;
|
||||||
|
+ permissive nova_scheduler_t;
|
||||||
|
+ permissive nova_vncproxy_t;
|
||||||
|
+ permissive nova_volume_t;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rabbitmq_epmd_t;
|
||||||
|
+ type rabbitmq_beam_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ permissive rabbitmq_epmd_t;
|
||||||
|
+ permissive rabbitmq_beam_t;
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gen_require(`
|
||||||
+ type sblim_gatherd_t;
|
+ type sblim_gatherd_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
@ -3497,7 +3531,7 @@ index 7bddc02..2b59ed0 100644
|
|||||||
+
|
+
|
||||||
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
||||||
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
||||||
index 975af1a..bcc4481 100644
|
index 975af1a..2aa37b4 100644
|
||||||
--- a/policy/modules/admin/sudo.if
|
--- a/policy/modules/admin/sudo.if
|
||||||
+++ b/policy/modules/admin/sudo.if
|
+++ b/policy/modules/admin/sudo.if
|
||||||
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
||||||
@ -3579,6 +3613,29 @@ index 975af1a..bcc4481 100644
|
|||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
tunable_policy(`use_nfs_home_dirs',`
|
||||||
fs_manage_nfs_files($1_sudo_t)
|
fs_manage_nfs_files($1_sudo_t)
|
||||||
|
@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
|
||||||
|
|
||||||
|
allow $1 sudodomain:process sigchld;
|
||||||
|
')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Allow execute sudo in called domain.
|
||||||
|
+## This interfaces is added for nova-stack policy.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed access.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`sudo_exec',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type sudo_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1, sudo_exec_t)
|
||||||
|
+')
|
||||||
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
|
||||||
index 2731fa1..3443ba2 100644
|
index 2731fa1..3443ba2 100644
|
||||||
--- a/policy/modules/admin/sudo.te
|
--- a/policy/modules/admin/sudo.te
|
||||||
@ -13481,7 +13538,7 @@ index 4f3b542..cf422f4 100644
|
|||||||
corenet_udp_recvfrom_labeled($1, $2)
|
corenet_udp_recvfrom_labeled($1, $2)
|
||||||
corenet_raw_recvfrom_labeled($1, $2)
|
corenet_raw_recvfrom_labeled($1, $2)
|
||||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||||
index 99b71cb..740d4b1 100644
|
index 99b71cb..30e6f47 100644
|
||||||
--- a/policy/modules/kernel/corenetwork.te.in
|
--- a/policy/modules/kernel/corenetwork.te.in
|
||||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||||
@@ -11,11 +11,15 @@ attribute netif_type;
|
@@ -11,11 +11,15 @@ attribute netif_type;
|
||||||
@ -13584,13 +13641,14 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
||||||
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
|
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
|
||||||
network_port(daap, tcp,3689,s0, udp,3689,s0)
|
network_port(daap, tcp,3689,s0, udp,3689,s0)
|
||||||
@@ -99,14 +134,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
|
@@ -99,14 +134,21 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
|
||||||
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
|
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
|
||||||
network_port(dict, tcp,2628,s0)
|
network_port(dict, tcp,2628,s0)
|
||||||
network_port(distccd, tcp,3632,s0)
|
network_port(distccd, tcp,3632,s0)
|
||||||
+network_port(dogtag, tcp,7390,s0)
|
+network_port(dogtag, tcp,7390,s0)
|
||||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||||
network_port(epmap, tcp,135,s0, udp,135,s0)
|
network_port(epmap, tcp,135,s0, udp,135,s0)
|
||||||
|
+network_port(epmd, tcp,4369,s0, udp,4369,s0)
|
||||||
+network_port(festival, tcp,1314,s0)
|
+network_port(festival, tcp,1314,s0)
|
||||||
network_port(fingerd, tcp,79,s0)
|
network_port(fingerd, tcp,79,s0)
|
||||||
+network_port(firebird, tcp,3050,s0, udp,3050,s0)
|
+network_port(firebird, tcp,3050,s0, udp,3050,s0)
|
||||||
@ -13605,7 +13663,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(gopher, tcp,70,s0, udp,70,s0)
|
network_port(gopher, tcp,70,s0, udp,70,s0)
|
||||||
network_port(gpsd, tcp,2947,s0)
|
network_port(gpsd, tcp,2947,s0)
|
||||||
network_port(hadoop_datanode, tcp,50010,s0)
|
network_port(hadoop_datanode, tcp,50010,s0)
|
||||||
@@ -115,11 +156,12 @@ network_port(hddtemp, tcp,7634,s0)
|
@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0)
|
||||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||||
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
||||||
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
||||||
@ -13619,7 +13677,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(ipmi, udp,623,s0, udp,664,s0)
|
network_port(ipmi, udp,623,s0, udp,664,s0)
|
||||||
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
|
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
|
||||||
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
|
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
|
||||||
@@ -129,20 +171,25 @@ network_port(iscsi, tcp,3260,s0)
|
@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0)
|
||||||
network_port(isns, tcp,3205,s0, udp,3205,s0)
|
network_port(isns, tcp,3205,s0, udp,3205,s0)
|
||||||
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
||||||
network_port(jabber_interserver, tcp,5269,s0)
|
network_port(jabber_interserver, tcp,5269,s0)
|
||||||
@ -13648,7 +13706,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(mpd, tcp,6600,s0)
|
network_port(mpd, tcp,6600,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
|
||||||
@@ -152,21 +199,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
network_port(netport, tcp,3129,s0, udp,3129,s0)
|
network_port(netport, tcp,3129,s0, udp,3129,s0)
|
||||||
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
|
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
|
||||||
@ -13681,7 +13739,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||||
network_port(printer, tcp,515,s0)
|
network_port(printer, tcp,515,s0)
|
||||||
@@ -179,30 +236,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
|
@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||||
network_port(radsec, tcp,2083,s0)
|
network_port(radsec, tcp,2083,s0)
|
||||||
network_port(razor, tcp,2703,s0)
|
network_port(razor, tcp,2703,s0)
|
||||||
@ -13721,7 +13779,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(tcs, tcp, 30003, s0)
|
network_port(tcs, tcp, 30003, s0)
|
||||||
network_port(telnetd, tcp,23,s0)
|
network_port(telnetd, tcp,23,s0)
|
||||||
network_port(tftp, udp,69,s0)
|
network_port(tftp, udp,69,s0)
|
||||||
@@ -215,7 +277,7 @@ network_port(uucpd, tcp,540,s0)
|
@@ -215,9 +278,10 @@ network_port(uucpd, tcp,540,s0)
|
||||||
network_port(varnishd, tcp,6081-6082,s0)
|
network_port(varnishd, tcp,6081-6082,s0)
|
||||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||||
network_port(virt_migration, tcp,49152-49216,s0)
|
network_port(virt_migration, tcp,49152-49216,s0)
|
||||||
@ -13729,8 +13787,11 @@ index 99b71cb..740d4b1 100644
|
|||||||
+network_port(vnc, tcp,5900-5999,s0)
|
+network_port(vnc, tcp,5900-5999,s0)
|
||||||
network_port(wccp, udp,2048,s0)
|
network_port(wccp, udp,2048,s0)
|
||||||
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
|
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
|
||||||
|
+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
|
||||||
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
network_port(xdmcp, udp,177,s0, tcp,177,s0)
|
||||||
@@ -229,6 +291,7 @@ network_port(zookeeper_client, tcp,2181,s0)
|
network_port(xen, tcp,8002,s0)
|
||||||
|
network_port(xfs, tcp,7100,s0)
|
||||||
|
@@ -229,6 +293,7 @@ network_port(zookeeper_client, tcp,2181,s0)
|
||||||
network_port(zookeeper_election, tcp,3888,s0)
|
network_port(zookeeper_election, tcp,3888,s0)
|
||||||
network_port(zookeeper_leader, tcp,2888,s0)
|
network_port(zookeeper_leader, tcp,2888,s0)
|
||||||
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
|
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
|
||||||
@ -13738,7 +13799,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
network_port(zope, tcp,8021,s0)
|
network_port(zope, tcp,8021,s0)
|
||||||
|
|
||||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||||
@@ -238,6 +301,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
@@ -238,6 +303,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||||
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
|
||||||
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||||
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
|
||||||
@ -13751,7 +13812,7 @@ index 99b71cb..740d4b1 100644
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@@ -282,9 +351,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
@@ -282,9 +353,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||||
allow corenet_unconfined_type node_type:node *;
|
allow corenet_unconfined_type node_type:node *;
|
||||||
allow corenet_unconfined_type netif_type:netif *;
|
allow corenet_unconfined_type netif_type:netif *;
|
||||||
allow corenet_unconfined_type packet_type:packet *;
|
allow corenet_unconfined_type packet_type:packet *;
|
||||||
@ -33974,10 +34035,10 @@ index 0000000..6fd8e9f
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
|
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..a5afe38
|
index 0000000..ff2ba38
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/dirsrv.te
|
+++ b/policy/modules/services/dirsrv.te
|
||||||
@@ -0,0 +1,187 @@
|
@@ -0,0 +1,188 @@
|
||||||
+policy_module(dirsrv,1.0.0)
|
+policy_module(dirsrv,1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -34035,6 +34096,7 @@ index 0000000..a5afe38
|
|||||||
+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
|
+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow dirsrv_t self:sem create_sem_perms;
|
+allow dirsrv_t self:sem create_sem_perms;
|
||||||
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
|
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
+allow dirsrv_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
+
|
+
|
||||||
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
||||||
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
|
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
|
||||||
@ -34220,10 +34282,43 @@ index b886676..ab3af9c 100644
|
|||||||
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||||
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
|
||||||
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
|
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
|
||||||
index 9bd812b..1bef72c 100644
|
index 9bd812b..982c0ea 100644
|
||||||
--- a/policy/modules/services/dnsmasq.if
|
--- a/policy/modules/services/dnsmasq.if
|
||||||
+++ b/policy/modules/services/dnsmasq.if
|
+++ b/policy/modules/services/dnsmasq.if
|
||||||
@@ -41,6 +41,29 @@ interface(`dnsmasq_initrc_domtrans',`
|
@@ -10,7 +10,6 @@
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
-#
|
||||||
|
interface(`dnsmasq_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type dnsmasq_exec_t, dnsmasq_t;
|
||||||
|
@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
|
||||||
|
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Execute dnsmasq server in the caller domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`dnsmasq_exec',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type dnsmasq_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ can_exec($1, dnsmasq_exec_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute the dnsmasq init script in the init script domain.
|
||||||
|
@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -34253,7 +34348,7 @@ index 9bd812b..1bef72c 100644
|
|||||||
## Send dnsmasq a signal
|
## Send dnsmasq a signal
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@@ -101,9 +124,9 @@ interface(`dnsmasq_kill',`
|
@@ -101,9 +141,9 @@ interface(`dnsmasq_kill',`
|
||||||
## Read dnsmasq config files.
|
## Read dnsmasq config files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@ -34265,7 +34360,7 @@ index 9bd812b..1bef72c 100644
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dnsmasq_read_config',`
|
interface(`dnsmasq_read_config',`
|
||||||
@@ -120,9 +143,9 @@ interface(`dnsmasq_read_config',`
|
@@ -120,9 +160,9 @@ interface(`dnsmasq_read_config',`
|
||||||
## Write to dnsmasq config files.
|
## Write to dnsmasq config files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
@ -34277,7 +34372,7 @@ index 9bd812b..1bef72c 100644
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dnsmasq_write_config',`
|
interface(`dnsmasq_write_config',`
|
||||||
@@ -144,12 +167,12 @@ interface(`dnsmasq_write_config',`
|
@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34291,7 +34386,7 @@ index 9bd812b..1bef72c 100644
|
|||||||
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -163,17 +186,80 @@ interface(`dnsmasq_delete_pid_files',`
|
@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
|
||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
@ -34373,7 +34468,7 @@ index 9bd812b..1bef72c 100644
|
|||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
## an dnsmasq environment
|
## an dnsmasq environment
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -208,4 +294,6 @@ interface(`dnsmasq_admin',`
|
@@ -208,4 +311,6 @@ interface(`dnsmasq_admin',`
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
admin_pattern($1, dnsmasq_var_run_t)
|
admin_pattern($1, dnsmasq_var_run_t)
|
||||||
@ -37703,10 +37798,10 @@ index 0000000..3b1870a
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
|
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..45b7469
|
index 0000000..34385c9
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/services/glance.te
|
+++ b/policy/modules/services/glance.te
|
||||||
@@ -0,0 +1,104 @@
|
@@ -0,0 +1,105 @@
|
||||||
+policy_module(glance, 1.0.0)
|
+policy_module(glance, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -37805,6 +37900,7 @@ index 0000000..45b7469
|
|||||||
+
|
+
|
||||||
+corenet_tcp_bind_generic_node(glance_api_t)
|
+corenet_tcp_bind_generic_node(glance_api_t)
|
||||||
+corenet_tcp_bind_hplip_port(glance_api_t)
|
+corenet_tcp_bind_hplip_port(glance_api_t)
|
||||||
|
+corenet_tcp_connect_glance_registry_port(glance_api_t)
|
||||||
+
|
+
|
||||||
+dev_read_urand(glance_api_t)
|
+dev_read_urand(glance_api_t)
|
||||||
+
|
+
|
||||||
@ -44911,6 +45007,368 @@ index 4876cae..eabed96 100644
|
|||||||
allow ypserv_t self:unix_dgram_socket create_socket_perms;
|
allow ypserv_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
|
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..4af11e2
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/nova.fc
|
||||||
|
@@ -0,0 +1,17 @@
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
|
||||||
|
+#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0)
|
||||||
|
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
|
||||||
|
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
|
||||||
|
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
|
||||||
|
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
|
||||||
|
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
|
||||||
|
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
|
||||||
|
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
|
||||||
|
+
|
||||||
|
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
|
||||||
|
+
|
||||||
|
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
|
||||||
|
diff --git a/policy/modules/services/nova.if b/policy/modules/services/nova.if
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ac0e1e6
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/nova.if
|
||||||
|
@@ -0,0 +1,30 @@
|
||||||
|
+## <summary>openstack-nova</summary>
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+## <summary>
|
||||||
|
+## Creates types and rules for a basic
|
||||||
|
+## openstack-nova systemd daemon domain.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="prefix">
|
||||||
|
+## <summary>
|
||||||
|
+## Prefix for the domain.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+template(`nova_domain_template',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ attribute nova_domain;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ type nova_$1_t, nova_domain;
|
||||||
|
+ type nova_$1_exec_t;
|
||||||
|
+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
|
||||||
|
+
|
||||||
|
+ type nova_$1_tmp_t;
|
||||||
|
+ files_tmp_file(nova_$1_tmp_t)
|
||||||
|
+
|
||||||
|
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
|
||||||
|
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
|
||||||
|
+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
|
||||||
|
+ can_exec(nova_$1_t, nova_$1_tmp_t)
|
||||||
|
+')
|
||||||
|
diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..49acffa
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/nova.te
|
||||||
|
@@ -0,0 +1,297 @@
|
||||||
|
+policy_module(nova, 1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# nova-stack daemons contain security issue with using sudo in the code
|
||||||
|
+# we make this policy as unconfined until this issue is fixed
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+attribute nova_domain;
|
||||||
|
+
|
||||||
|
+nova_domain_template(ajax)
|
||||||
|
+nova_domain_template(api)
|
||||||
|
+nova_domain_template(compute)
|
||||||
|
+nova_domain_template(direct)
|
||||||
|
+nova_domain_template(network)
|
||||||
|
+nova_domain_template(objectstore)
|
||||||
|
+nova_domain_template(scheduler)
|
||||||
|
+nova_domain_template(vncproxy)
|
||||||
|
+nova_domain_template(volume)
|
||||||
|
+
|
||||||
|
+type nova_log_t;
|
||||||
|
+logging_log_file(nova_log_t)
|
||||||
|
+
|
||||||
|
+type nova_var_lib_t;
|
||||||
|
+files_type(nova_var_lib_t)
|
||||||
|
+
|
||||||
|
+type nova_var_run_t;
|
||||||
|
+files_pid_file(nova_var_run_t)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+#
|
||||||
|
+# nova general domain local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_domain self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow nova_domain self:tcp_socket create_stream_socket_perms;
|
||||||
|
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
|
||||||
|
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
|
||||||
|
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
||||||
|
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
||||||
|
+
|
||||||
|
+kernel_read_system_state(nova_domain)
|
||||||
|
+
|
||||||
|
+corenet_tcp_connect_amqp_port(nova_domain)
|
||||||
|
+
|
||||||
|
+corecmd_exec_bin(nova_domain)
|
||||||
|
+corecmd_exec_shell(nova_domain)
|
||||||
|
+
|
||||||
|
+dev_read_urand(nova_domain)
|
||||||
|
+
|
||||||
|
+fs_getattr_xattr_fs(nova_domain)
|
||||||
|
+
|
||||||
|
+files_read_usr_files(nova_domain)
|
||||||
|
+
|
||||||
|
+libs_exec_ldconfig(nova_domain)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(nova_domain)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(nova_domain)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sysnet_read_config(nova_domain)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+#
|
||||||
|
+# nova ajax local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_ajax_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova api local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_api_t self:process setfscreate;
|
||||||
|
+
|
||||||
|
+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
+
|
||||||
|
+allow nova_api_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+kernel_read_kernel_sysctls(nova_api_t)
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_generic_node(nova_api_t)
|
||||||
|
+corenet_udp_bind_generic_node(nova_api_t)
|
||||||
|
+# should be add to booleans
|
||||||
|
+corenet_tcp_connect_all_ports(nova_api_t)
|
||||||
|
+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(nova_api_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_certs(nova_api_t)
|
||||||
|
+
|
||||||
|
+ifdef(`hide_broken_symptoms',`
|
||||||
|
+ optional_policy(`
|
||||||
|
+ sudo_exec(nova_api_t)
|
||||||
|
+ allow nova_api_t self:capability { setuid sys_resource setgid };
|
||||||
|
+ allow nova_api_t self:process { setsched setrlimit };
|
||||||
|
+ logging_send_audit_msgs(nova_api_t)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ iptables_domtrans(nova_api_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ ssh_exec_keygen(nova_api_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_api_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova compute local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+# needs to be re-write since now runs as virtd_t
|
||||||
|
+
|
||||||
|
+allow nova_compute_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+kernel_read_network_state(nova_compute_t)
|
||||||
|
+
|
||||||
|
+dev_read_rand(nova_compute_t)
|
||||||
|
+
|
||||||
|
+dev_read_sysfs(nova_compute_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ virt_getattr_exec(nova_compute_t)
|
||||||
|
+ virt_stream_connect(nova_compute_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova direct local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_direct_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova network local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_network_t self:capability { dac_override net_admin net_bind_service };
|
||||||
|
+allow nova_network_t self:process { getcap setcap };
|
||||||
|
+
|
||||||
|
+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
+allow nova_network_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+kernel_read_network_state(nova_network_t)
|
||||||
|
+kernel_read_kernel_sysctls(nova_network_t)
|
||||||
|
+
|
||||||
|
+# should be added to boolean or fixed in the code
|
||||||
|
+# dnsmasq domtrans does not work since then dnsmasq_t wants
|
||||||
|
+# to do some stuff with nova_lib, nova_tmp
|
||||||
|
+# nova-dhcpbridge runs in dnsmasq domain
|
||||||
|
+corenet_all_recvfrom_unlabeled(nova_network_t)
|
||||||
|
+corenet_all_recvfrom_netlabel(nova_network_t)
|
||||||
|
+corenet_tcp_sendrecv_generic_if(nova_network_t)
|
||||||
|
+corenet_udp_sendrecv_generic_if(nova_network_t)
|
||||||
|
+corenet_raw_sendrecv_generic_if(nova_network_t)
|
||||||
|
+corenet_tcp_sendrecv_generic_node(nova_network_t)
|
||||||
|
+corenet_udp_sendrecv_generic_node(nova_network_t)
|
||||||
|
+corenet_raw_sendrecv_generic_node(nova_network_t)
|
||||||
|
+corenet_tcp_sendrecv_all_ports(nova_network_t)
|
||||||
|
+corenet_udp_sendrecv_all_ports(nova_network_t)
|
||||||
|
+corenet_tcp_bind_generic_node(nova_network_t)
|
||||||
|
+corenet_udp_bind_generic_node(nova_network_t)
|
||||||
|
+corenet_tcp_bind_dns_port(nova_network_t)
|
||||||
|
+corenet_udp_bind_all_ports(nova_network_t)
|
||||||
|
+corenet_sendrecv_dns_server_packets(nova_network_t)
|
||||||
|
+corenet_sendrecv_dhcpd_server_packets(nova_network_t)
|
||||||
|
+
|
||||||
|
+libs_exec_ldconfig(nova_network_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(nova_network_t)
|
||||||
|
+
|
||||||
|
+ifdef(`hide_broken_symptoms',`
|
||||||
|
+ optional_policy(`
|
||||||
|
+ sudo_exec(nova_network_t)
|
||||||
|
+ allow nova_network_t self:capability { setuid sys_resource setgid };
|
||||||
|
+ allow nova_network_t self:process { setsched setrlimit };
|
||||||
|
+ logging_send_audit_msgs(nova_network_t)
|
||||||
|
+ ')
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ brctl_domtrans(nova_network_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ dnsmasq_exec(nova_network_t)
|
||||||
|
+# dnsmasq_domtrans(nova_network_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ iptables_domtrans(nova_network_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sysnet_domtrans_ifconfig(nova_network_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_network_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova object store local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_objectstore_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_generic_node(nova_objectstore_t)
|
||||||
|
+corenet_udp_bind_generic_node(nova_objectstore_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_objectstore_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova scheduler local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
+allow nova_scheduler_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_scheduler_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova vncproxy local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_vncproxy_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+#######################################
|
||||||
|
+#
|
||||||
|
+# nova volume local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
|
+
|
||||||
|
+allow nova_volume_t self:udp_socket create_socket_perms;
|
||||||
|
+
|
||||||
|
+kernel_read_kernel_sysctls(nova_volume_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(nova_volume_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ lvm_domtrans(nova_volume_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+ifdef(`hide_broken_symptoms',`
|
||||||
|
+ require {
|
||||||
|
+ type sudo_exec_t;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
|
||||||
|
+
|
||||||
|
+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
|
||||||
|
+ allow nova_volume_t self:process { setsched setrlimit };
|
||||||
|
+
|
||||||
|
+ logging_send_audit_msgs(nova_volume_t)
|
||||||
|
+
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ unconfined_domain(nova_volume_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
|
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
|
||||||
index 85188dc..56dd1f0 100644
|
index 85188dc..56dd1f0 100644
|
||||||
--- a/policy/modules/services/nscd.if
|
--- a/policy/modules/services/nscd.if
|
||||||
@ -50873,6 +51331,140 @@ index cb7ecb5..3df1532 100644
|
|||||||
+ matahari_manage_lib_files(qpidd_t)
|
+ matahari_manage_lib_files(qpidd_t)
|
||||||
+ matahari_manage_pid_files(qpidd_t)
|
+ matahari_manage_pid_files(qpidd_t)
|
||||||
+')
|
+')
|
||||||
|
diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..7908e1d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/rabbitmq.fc
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+
|
||||||
|
+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
|
||||||
|
+/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
|
||||||
|
+#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0)
|
||||||
|
+
|
||||||
|
+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
|
||||||
|
+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
|
||||||
|
diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..f15d8c3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/rabbitmq.if
|
||||||
|
@@ -0,0 +1,23 @@
|
||||||
|
+
|
||||||
|
+## <summary>policy for rabbitmq</summary>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+## <summary>
|
||||||
|
+## Transition to rabbitmq.
|
||||||
|
+## </summary>
|
||||||
|
+## <param name="domain">
|
||||||
|
+## <summary>
|
||||||
|
+## Domain allowed to transition.
|
||||||
|
+## </summary>
|
||||||
|
+## </param>
|
||||||
|
+#
|
||||||
|
+interface(`rabbitmq_domtrans',`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type rabbitmq_t, rabbitmq_exec_t;
|
||||||
|
+ ')
|
||||||
|
+
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
|
+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..55aaca1
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/policy/modules/services/rabbitmq.te
|
||||||
|
@@ -0,0 +1,86 @@
|
||||||
|
+policy_module(rabbitmq, 1.0.0)
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# Declarations
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+type rabbitmq_epmd_t;
|
||||||
|
+type rabbitmq_epmd_exec_t;
|
||||||
|
+init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
|
||||||
|
+
|
||||||
|
+type rabbitmq_beam_t;
|
||||||
|
+type rabbitmq_beam_exec_t;
|
||||||
|
+init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
||||||
|
+
|
||||||
|
+type rabbitmq_var_lib_t;
|
||||||
|
+files_type(rabbitmq_var_lib_t)
|
||||||
|
+
|
||||||
|
+type rabbitmq_var_log_t;
|
||||||
|
+logging_log_file(rabbitmq_var_log_t)
|
||||||
|
+
|
||||||
|
+######################################
|
||||||
|
+#
|
||||||
|
+# beam local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+allow rabbitmq_beam_t self:process { setsched signal signull };
|
||||||
|
+
|
||||||
|
+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow rabbitmq_beam_t self:tcp_socket { accept listen };
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
|
||||||
|
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
|
||||||
|
+
|
||||||
|
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
||||||
|
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
||||||
|
+
|
||||||
|
+can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
||||||
|
+
|
||||||
|
+kernel_read_system_state(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+corecmd_exec_bin(rabbitmq_beam_t)
|
||||||
|
+corecmd_exec_shell(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
|
||||||
|
+corenet_udp_bind_generic_node(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
||||||
|
+corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+dev_read_sysfs(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(rabbitmq_beam_t)
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ sysnet_dns_name_resolve(rabbitmq_beam_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
+#
|
||||||
|
+# epmd local policy
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
|
||||||
|
+
|
||||||
|
+allow rabbitmq_epmd_t self:process { signal };
|
||||||
|
+
|
||||||
|
+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
+allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
+
|
||||||
|
+# should be append
|
||||||
|
+allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
|
||||||
|
+
|
||||||
|
+corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
|
||||||
|
+corenet_udp_bind_generic_node(rabbitmq_epmd_t)
|
||||||
|
+corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
||||||
|
+
|
||||||
|
+files_read_etc_files(rabbitmq_epmd_t)
|
||||||
|
+
|
||||||
|
+logging_send_syslog_msg(rabbitmq_epmd_t)
|
||||||
|
+
|
||||||
|
+miscfiles_read_localization(rabbitmq_epmd_t)
|
||||||
|
+
|
||||||
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
|
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
|
||||||
index b1ed1bf..124971d 100644
|
index b1ed1bf..124971d 100644
|
||||||
--- a/policy/modules/services/radius.te
|
--- a/policy/modules/services/radius.te
|
||||||
@ -59139,7 +59731,7 @@ index 32a3c13..7baeb6f 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
|
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
|
||||||
index 2124b6a..c60a0e7 100644
|
index 2124b6a..b944b61 100644
|
||||||
--- a/policy/modules/services/virt.fc
|
--- a/policy/modules/services/virt.fc
|
||||||
+++ b/policy/modules/services/virt.fc
|
+++ b/policy/modules/services/virt.fc
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
@ -59151,7 +59743,7 @@ index 2124b6a..c60a0e7 100644
|
|||||||
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
|
|
||||||
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
|
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
|
||||||
@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
|
@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
|
||||||
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||||
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
||||||
|
|
||||||
@ -59189,6 +59781,9 @@ index 2124b6a..c60a0e7 100644
|
|||||||
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
||||||
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
||||||
|
+
|
||||||
|
+# support for nova-stack
|
||||||
|
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
||||||
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
|
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
|
||||||
index 7c5d8d8..d711fd5 100644
|
index 7c5d8d8..d711fd5 100644
|
||||||
--- a/policy/modules/services/virt.if
|
--- a/policy/modules/services/virt.if
|
||||||
@ -71470,7 +72065,7 @@ index 34d0ec5..767ccbd 100644
|
|||||||
+')
|
+')
|
||||||
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..9eaa38e
|
index 0000000..db57bc7
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.fc
|
+++ b/policy/modules/system/systemd.fc
|
||||||
@@ -0,0 +1,19 @@
|
@@ -0,0 +1,19 @@
|
||||||
@ -71490,8 +72085,8 @@ index 0000000..9eaa38e
|
|||||||
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||||
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
|
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
|
||||||
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
|
||||||
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
|
+/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
|
||||||
+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
|
+/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
|
||||||
+/var/run/initramfs(/.*)? <<none>>
|
+/var/run/initramfs(/.*)? <<none>>
|
||||||
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
@ -71979,10 +72574,10 @@ index 0000000..f642930
|
|||||||
+
|
+
|
||||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..3e5e632
|
index 0000000..a906f40
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policy/modules/system/systemd.te
|
+++ b/policy/modules/system/systemd.te
|
||||||
@@ -0,0 +1,371 @@
|
@@ -0,0 +1,369 @@
|
||||||
+policy_module(systemd, 1.0.0)
|
+policy_module(systemd, 1.0.0)
|
||||||
+
|
+
|
||||||
+#######################################
|
+#######################################
|
||||||
@ -72017,6 +72612,9 @@ index 0000000..3e5e632
|
|||||||
+type systemd_passwd_agent_exec_t;
|
+type systemd_passwd_agent_exec_t;
|
||||||
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
|
||||||
+
|
+
|
||||||
|
+type systemd_passwd_var_run_t alias systemd_device_t;
|
||||||
|
+files_pid_file(systemd_passwd_var_run_t)
|
||||||
|
+
|
||||||
+# domain for systemd-tmpfiles component
|
+# domain for systemd-tmpfiles component
|
||||||
+type systemd_tmpfiles_t;
|
+type systemd_tmpfiles_t;
|
||||||
+type systemd_tmpfiles_exec_t;
|
+type systemd_tmpfiles_exec_t;
|
||||||
@ -72034,13 +72632,6 @@ index 0000000..3e5e632
|
|||||||
+type systemd_systemctl_exec_t;
|
+type systemd_systemctl_exec_t;
|
||||||
+corecmd_executable_file(systemd_systemctl_exec_t)
|
+corecmd_executable_file(systemd_systemctl_exec_t)
|
||||||
+
|
+
|
||||||
+#
|
|
||||||
+# Type for systemd pipes in /dev/.systemd/ directory
|
|
||||||
+#
|
|
||||||
+type systemd_device_t;
|
|
||||||
+files_type(systemd_device_t)
|
|
||||||
+dev_associate(systemd_device_t)
|
|
||||||
+
|
|
||||||
+#######################################
|
+#######################################
|
||||||
+#
|
+#
|
||||||
+# Systemd_logind local policy
|
+# Systemd_logind local policy
|
||||||
@ -72097,6 +72688,8 @@ index 0000000..3e5e632
|
|||||||
+dbus_system_bus_client(systemd_logind_t)
|
+dbus_system_bus_client(systemd_logind_t)
|
||||||
+
|
+
|
||||||
+init_dbus_chat(systemd_logind_t)
|
+init_dbus_chat(systemd_logind_t)
|
||||||
|
+init_dbus_chat_script(systemd_logind_t)
|
||||||
|
+init_read_script_state(systemd_logind_t)
|
||||||
+init_read_state(systemd_logind_t)
|
+init_read_state(systemd_logind_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(systemd_logind_t)
|
+logging_send_syslog_msg(systemd_logind_t)
|
||||||
@ -72136,9 +72729,9 @@ index 0000000..3e5e632
|
|||||||
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
|
||||||
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
|
||||||
+
|
+
|
||||||
+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
|
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||||
+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
|
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
|
||||||
+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
|
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file })
|
||||||
+
|
+
|
||||||
+kernel_stream_connect(systemd_passwd_agent_t)
|
+kernel_stream_connect(systemd_passwd_agent_t)
|
||||||
+
|
+
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 41%{?dist}
|
Release: 43%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
@ -482,6 +482,12 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-43
|
||||||
|
- Add policies for nova openstack
|
||||||
|
|
||||||
|
* Mon Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-42
|
||||||
|
- Add fixes for nova-stack policy
|
||||||
|
|
||||||
* Mon Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-41
|
* Mon Oct 18 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-41
|
||||||
- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
|
- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
|
||||||
- Allow init process to setrlimit on itself
|
- Allow init process to setrlimit on itself
|
||||||
|
Loading…
Reference in New Issue
Block a user