Add labeling for puppet helper scripts
This commit is contained in:
Miroslav Grepl
parent
1aabaf6c8d
commit
e0b675d7b3
@ -23695,10 +23695,10 @@ index 0000000..1048292
|
||||
+')
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..d30d730
|
||||
index 0000000..d5a606c
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,263 @@
|
||||
@@ -0,0 +1,266 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -23843,6 +23843,7 @@ index 0000000..d30d730
|
||||
+auth_use_nsswitch(docker_t)
|
||||
+
|
||||
+init_read_state(docker_t)
|
||||
+init_status(docker_t)
|
||||
+
|
||||
+logging_send_audit_msgs(docker_t)
|
||||
+logging_send_syslog_msg(docker_t)
|
||||
@ -23923,6 +23924,8 @@ index 0000000..d30d730
|
||||
+
|
||||
+modutils_domtrans_insmod(docker_t)
|
||||
+
|
||||
+systemd_status_all_unit_files(docker_t)
|
||||
+
|
||||
+userdom_stream_connect(docker_t)
|
||||
+userdom_search_user_home_content(docker_t)
|
||||
+
|
||||
@ -27832,10 +27835,10 @@ index 0000000..04e159f
|
||||
+')
|
||||
diff --git a/gear.te b/gear.te
|
||||
new file mode 100644
|
||||
index 0000000..6c32f79
|
||||
index 0000000..e6a1c7c
|
||||
--- /dev/null
|
||||
+++ b/gear.te
|
||||
@@ -0,0 +1,94 @@
|
||||
@@ -0,0 +1,101 @@
|
||||
+policy_module(gear, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -27863,6 +27866,8 @@ index 0000000..6c32f79
|
||||
+#
|
||||
+# gear local policy
|
||||
+#
|
||||
+allow gear_t self:capability chown;
|
||||
+allow gear_t self:capability2 block_suspend;
|
||||
+allow gear_t self:process { getattr signal_perms };
|
||||
+allow gear_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -27894,6 +27899,7 @@ index 0000000..6c32f79
|
||||
+kernel_rw_net_sysctls(gear_t)
|
||||
+
|
||||
+domain_use_interactive_fds(gear_t)
|
||||
+domain_read_all_domains_state(gear_t)
|
||||
+
|
||||
+corecmd_exec_bin(gear_t)
|
||||
+corecmd_exec_shell(gear_t)
|
||||
@ -27914,6 +27920,8 @@ index 0000000..6c32f79
|
||||
+init_read_state(gear_t)
|
||||
+init_dbus_chat(gear_t)
|
||||
+
|
||||
+iptables_domtrans(gear_t)
|
||||
+
|
||||
+logging_send_audit_msgs(gear_t)
|
||||
+logging_send_syslog_msg(gear_t)
|
||||
+
|
||||
@ -27925,6 +27933,8 @@ index 0000000..6c32f79
|
||||
+
|
||||
+sysnet_dns_name_resolve(gear_t)
|
||||
+
|
||||
+sysnet_domtrans_ifconfig(gear_t)
|
||||
+
|
||||
+systemd_manage_all_unit_files(gear_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -69391,7 +69401,7 @@ index 6643b49..1d2470f 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/puppet.fc b/puppet.fc
|
||||
index d68e26d..f734388 100644
|
||||
index d68e26d..cad91e2 100644
|
||||
--- a/puppet.fc
|
||||
+++ b/puppet.fc
|
||||
@@ -1,18 +1,20 @@
|
||||
@ -69407,8 +69417,8 @@ index d68e26d..f734388 100644
|
||||
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||
+#helper scripts
|
||||
+/usr/bin/puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
||||
+/usr/bin/puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
||||
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||
|
||||
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user