Add labeling for puppet helper scripts
This commit is contained in:
Miroslav Grepl
parent
1aabaf6c8d
commit
e0b675d7b3
@ -23695,10 +23695,10 @@ index 0000000..1048292
|
|||||||
+')
|
+')
|
||||||
diff --git a/docker.te b/docker.te
|
diff --git a/docker.te b/docker.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..d30d730
|
index 0000000..d5a606c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/docker.te
|
+++ b/docker.te
|
||||||
@@ -0,0 +1,263 @@
|
@@ -0,0 +1,266 @@
|
||||||
+policy_module(docker, 1.0.0)
|
+policy_module(docker, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -23843,6 +23843,7 @@ index 0000000..d30d730
|
|||||||
+auth_use_nsswitch(docker_t)
|
+auth_use_nsswitch(docker_t)
|
||||||
+
|
+
|
||||||
+init_read_state(docker_t)
|
+init_read_state(docker_t)
|
||||||
|
+init_status(docker_t)
|
||||||
+
|
+
|
||||||
+logging_send_audit_msgs(docker_t)
|
+logging_send_audit_msgs(docker_t)
|
||||||
+logging_send_syslog_msg(docker_t)
|
+logging_send_syslog_msg(docker_t)
|
||||||
@ -23923,6 +23924,8 @@ index 0000000..d30d730
|
|||||||
+
|
+
|
||||||
+modutils_domtrans_insmod(docker_t)
|
+modutils_domtrans_insmod(docker_t)
|
||||||
+
|
+
|
||||||
|
+systemd_status_all_unit_files(docker_t)
|
||||||
|
+
|
||||||
+userdom_stream_connect(docker_t)
|
+userdom_stream_connect(docker_t)
|
||||||
+userdom_search_user_home_content(docker_t)
|
+userdom_search_user_home_content(docker_t)
|
||||||
+
|
+
|
||||||
@ -27832,10 +27835,10 @@ index 0000000..04e159f
|
|||||||
+')
|
+')
|
||||||
diff --git a/gear.te b/gear.te
|
diff --git a/gear.te b/gear.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6c32f79
|
index 0000000..e6a1c7c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/gear.te
|
+++ b/gear.te
|
||||||
@@ -0,0 +1,94 @@
|
@@ -0,0 +1,101 @@
|
||||||
+policy_module(gear, 1.0.0)
|
+policy_module(gear, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
@ -27863,6 +27866,8 @@ index 0000000..6c32f79
|
|||||||
+#
|
+#
|
||||||
+# gear local policy
|
+# gear local policy
|
||||||
+#
|
+#
|
||||||
|
+allow gear_t self:capability chown;
|
||||||
|
+allow gear_t self:capability2 block_suspend;
|
||||||
+allow gear_t self:process { getattr signal_perms };
|
+allow gear_t self:process { getattr signal_perms };
|
||||||
+allow gear_t self:fifo_file rw_fifo_file_perms;
|
+allow gear_t self:fifo_file rw_fifo_file_perms;
|
||||||
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
|
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -27894,6 +27899,7 @@ index 0000000..6c32f79
|
|||||||
+kernel_rw_net_sysctls(gear_t)
|
+kernel_rw_net_sysctls(gear_t)
|
||||||
+
|
+
|
||||||
+domain_use_interactive_fds(gear_t)
|
+domain_use_interactive_fds(gear_t)
|
||||||
|
+domain_read_all_domains_state(gear_t)
|
||||||
+
|
+
|
||||||
+corecmd_exec_bin(gear_t)
|
+corecmd_exec_bin(gear_t)
|
||||||
+corecmd_exec_shell(gear_t)
|
+corecmd_exec_shell(gear_t)
|
||||||
@ -27914,6 +27920,8 @@ index 0000000..6c32f79
|
|||||||
+init_read_state(gear_t)
|
+init_read_state(gear_t)
|
||||||
+init_dbus_chat(gear_t)
|
+init_dbus_chat(gear_t)
|
||||||
+
|
+
|
||||||
|
+iptables_domtrans(gear_t)
|
||||||
|
+
|
||||||
+logging_send_audit_msgs(gear_t)
|
+logging_send_audit_msgs(gear_t)
|
||||||
+logging_send_syslog_msg(gear_t)
|
+logging_send_syslog_msg(gear_t)
|
||||||
+
|
+
|
||||||
@ -27925,6 +27933,8 @@ index 0000000..6c32f79
|
|||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(gear_t)
|
+sysnet_dns_name_resolve(gear_t)
|
||||||
+
|
+
|
||||||
|
+sysnet_domtrans_ifconfig(gear_t)
|
||||||
|
+
|
||||||
+systemd_manage_all_unit_files(gear_t)
|
+systemd_manage_all_unit_files(gear_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
@ -69391,7 +69401,7 @@ index 6643b49..1d2470f 100644
|
|||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
diff --git a/puppet.fc b/puppet.fc
|
diff --git a/puppet.fc b/puppet.fc
|
||||||
index d68e26d..f734388 100644
|
index d68e26d..cad91e2 100644
|
||||||
--- a/puppet.fc
|
--- a/puppet.fc
|
||||||
+++ b/puppet.fc
|
+++ b/puppet.fc
|
||||||
@@ -1,18 +1,20 @@
|
@@ -1,18 +1,20 @@
|
||||||
@ -69407,8 +69417,8 @@ index d68e26d..f734388 100644
|
|||||||
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
-/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||||
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
-/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||||
+#helper scripts
|
+#helper scripts
|
||||||
+/usr/bin/puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
|
||||||
+/usr/bin/puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
||||||
|
|
||||||
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||||
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user