basebuilder_pel7ppc64bebuilder0
6 years ago
15 changed files with 521729 additions and 79 deletions
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,29 @@
@@ -0,0 +1,29 @@
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
||||
index 2afd2f6..2fc80d1 100644 |
||||
--- a/policy/modules/kernel/filesystem.if |
||||
+++ b/policy/modules/kernel/filesystem.if |
||||
@@ -2633,6 +2633,24 @@ interface(`fs_rw_hugetlbfs_files',` |
||||
|
||||
######################################## |
||||
## <summary> |
||||
+## Manage hugetlbfs files. |
||||
+## </summary> |
||||
+## <param name="domain"> |
||||
+## <summary> |
||||
+## Domain allowed access. |
||||
+## </summary> |
||||
+## </param> |
||||
+# |
||||
+interface(`fs_manage_hugetlbfs_files',` |
||||
+ gen_require(` |
||||
+ type hugetlbfs_t; |
||||
+ ') |
||||
+ |
||||
+ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) |
||||
+') |
||||
+ |
||||
+######################################## |
||||
+## <summary> |
||||
## Execute hugetlbfs files. |
||||
## </summary> |
||||
## <param name="domain"> |
@ -0,0 +1,222 @@
@@ -0,0 +1,222 @@
|
||||
diff --git a/ctdb.if b/ctdb.if |
||||
index 6b7d687..06895f3 100644 |
||||
--- a/ctdb.if |
||||
+++ b/ctdb.if |
||||
@@ -55,6 +55,23 @@ interface(`ctdbd_signal',` |
||||
allow $1 ctdbd_t:process signal; |
||||
') |
||||
|
||||
+####################################### |
||||
+## <summary> |
||||
+## Allow domain to sigchld ctdbd. |
||||
+## </summary> |
||||
+## <param name="domain"> |
||||
+## <summary> |
||||
+## Domain allowed access. |
||||
+## </summary> |
||||
+## </param> |
||||
+# |
||||
+interface(`ctdbd_sigchld',` |
||||
+ gen_require(` |
||||
+ type ctdbd_t; |
||||
+ ') |
||||
+ allow $1 ctdbd_t:process sigchld; |
||||
+') |
||||
+ |
||||
######################################## |
||||
## <summary> |
||||
## Read ctdbd's log files. |
||||
diff --git a/glusterd.fc b/glusterd.fc |
||||
index 8c8c6c9..52b4110 100644 |
||||
--- a/glusterd.fc |
||||
+++ b/glusterd.fc |
||||
@@ -6,13 +6,17 @@ |
||||
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
||||
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
|
||||
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
+ |
||||
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
|
||||
/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
||||
|
||||
/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
||||
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) |
||||
|
||||
/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||
+/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||
diff --git a/glusterd.te b/glusterd.te |
||||
index b974353..0c149cd 100644 |
||||
--- a/glusterd.te |
||||
+++ b/glusterd.te |
||||
@@ -62,7 +62,7 @@ files_type(glusterd_brick_t) |
||||
allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; |
||||
|
||||
allow glusterd_t self:capability2 block_suspend; |
||||
-allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; |
||||
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; |
||||
allow glusterd_t self:sem create_sem_perms; |
||||
allow glusterd_t self:fifo_file rw_fifo_file_perms; |
||||
allow glusterd_t self:tcp_socket { accept listen }; |
||||
@@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) |
||||
allow glusterd_t glusterd_tmp_t:dir mounton; |
||||
|
||||
manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir) |
||||
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) |
||||
|
||||
manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
||||
manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
||||
@@ -240,12 +238,21 @@ optional_policy(` |
||||
optional_policy(` |
||||
policykit_dbus_chat(glusterd_t) |
||||
') |
||||
+ |
||||
+ optional_policy(` |
||||
+ unconfined_dbus_chat(glusterd_t) |
||||
+ ') |
||||
') |
||||
|
||||
optional_policy(` |
||||
hostname_exec(glusterd_t) |
||||
') |
||||
|
||||
+ |
||||
+optional_policy(` |
||||
+ kerberos_read_keytab(glusterd_t) |
||||
+') |
||||
+ |
||||
optional_policy(` |
||||
lvm_domtrans(glusterd_t) |
||||
') |
||||
@@ -281,6 +288,7 @@ optional_policy(` |
||||
rpc_domtrans_nfsd(glusterd_t) |
||||
rpc_domtrans_rpcd(glusterd_t) |
||||
rpc_manage_nfs_state_data(glusterd_t) |
||||
+ rpcbind_stream_connect(glusterd_t) |
||||
') |
||||
|
||||
optional_policy(` |
||||
diff --git a/openvswitch.te b/openvswitch.te |
||||
index 1b606d8..2d00be4 100644 |
||||
--- a/openvswitch.te |
||||
+++ b/openvswitch.te |
||||
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t) |
||||
# openvswitch local policy |
||||
# |
||||
|
||||
-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; |
||||
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; |
||||
allow openvswitch_t self:capability2 block_suspend; |
||||
allow openvswitch_t self:process { fork setsched setrlimit signal }; |
||||
allow openvswitch_t self:fifo_file rw_fifo_file_perms; |
||||
@@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t) |
||||
|
||||
fs_getattr_all_fs(openvswitch_t) |
||||
fs_search_cgroup_dirs(openvswitch_t) |
||||
+fs_manage_hugetlbfs_files(openvswitch_t) |
||||
+fs_manage_hugetlbfs_dirs(openvswitch_t) |
||||
|
||||
auth_use_nsswitch(openvswitch_t) |
||||
|
||||
diff --git a/rhcs.te b/rhcs.te |
||||
index 2c7b543..e55c17b 100644 |
||||
--- a/rhcs.te |
||||
+++ b/rhcs.te |
||||
@@ -319,6 +319,7 @@ optional_policy(` |
||||
rpc_domtrans_nfsd(cluster_t) |
||||
rpc_domtrans_rpcd(cluster_t) |
||||
rpc_manage_nfs_state_data(cluster_t) |
||||
+ rpc_filetrans_var_lib_nfs_content(cluster_t) |
||||
') |
||||
|
||||
optional_policy(` |
||||
diff --git a/rpc.if b/rpc.if |
||||
index 50f25de..4f3c2b9 100644 |
||||
--- a/rpc.if |
||||
+++ b/rpc.if |
||||
@@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',` |
||||
allow $1 gssd_t:key { read search setattr view write }; |
||||
') |
||||
|
||||
+######################################## |
||||
+## <summary> |
||||
+## Transition to alsa named content |
||||
+## </summary> |
||||
+## <param name="domain"> |
||||
+## <summary> |
||||
+## Domain allowed access. |
||||
+## </summary> |
||||
+## </param> |
||||
+# |
||||
+interface(`rpc_filetrans_var_lib_nfs_content',` |
||||
+ gen_require(` |
||||
+ type var_lib_nfs_t; |
||||
+ ') |
||||
+ |
||||
+ files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") |
||||
+') |
||||
+ |
||||
####################################### |
||||
## <summary> |
||||
## All of the rules required to |
||||
diff --git a/rpc.te b/rpc.te |
||||
index 876a4e7..7f491b0 100644 |
||||
--- a/rpc.te |
||||
+++ b/rpc.te |
||||
@@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true) |
||||
## </desc> |
||||
gen_tunable(nfsd_anon_write, false) |
||||
|
||||
+## <desc> |
||||
+## <p> |
||||
+## Allow rpcd_t to manage fuse files |
||||
+## </p> |
||||
+## </desc> |
||||
+gen_tunable(rpcd_use_fusefs, false) |
||||
+ |
||||
attribute rpc_domain; |
||||
|
||||
type exports_t; |
||||
@@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) |
||||
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) |
||||
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) |
||||
|
||||
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) |
||||
+ |
||||
# rpc.statd executes sm-notify |
||||
can_exec(rpcd_t, rpcd_exec_t) |
||||
|
||||
@@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t) |
||||
userdom_signal_unpriv_users(rpcd_t) |
||||
userdom_read_user_home_content_files(rpcd_t) |
||||
|
||||
+tunable_policy(`rpcd_use_fusefs',` |
||||
+ fs_manage_fusefs_dirs(rpcd_t) |
||||
+ fs_manage_fusefs_files(rpcd_t) |
||||
+ fs_read_fusefs_symlinks(rpcd_t) |
||||
+ fs_getattr_fusefs(rpcd_t) |
||||
+') |
||||
+ |
||||
ifdef(`distro_debian',` |
||||
term_dontaudit_use_unallocated_ttys(rpcd_t) |
||||
') |
||||
diff --git a/samba.te b/samba.te |
||||
index bf7a710..aac4015 100644 |
||||
--- a/samba.te |
||||
+++ b/samba.te |
||||
@@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t) |
||||
|
||||
optional_policy(` |
||||
ctdbd_stream_connect(smbcontrol_t) |
||||
+ ctdbd_sigchld(smbcontrol_t) |
||||
') |
||||
|
||||
######################################## |
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,13 @@
@@ -0,0 +1,13 @@
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in |
||||
index 9d2c142..1c0ed36 100644 |
||||
--- a/policy/modules/kernel/corenetwork.te.in |
||||
+++ b/policy/modules/kernel/corenetwork.te.in |
||||
@@ -172,7 +172,7 @@ network_port(giftd, tcp,1213,s0) |
||||
network_port(git, tcp,9418,s0, udp,9418,s0) |
||||
network_port(glance, tcp,9292,s0, udp,9292,s0) |
||||
network_port(glance_registry, tcp,9191,s0, udp,9191,s0) |
||||
-network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) |
||||
+network_port(gluster, tcp,24007-24027,s0, udp,24007-24027,s0, tcp, 38465-38469,s0) |
||||
network_port(gopher, tcp,70,s0, udp,70,s0) |
||||
network_port(gpsd, tcp,2947,s0) |
||||
network_port(hadoop_datanode, tcp,50010,s0) |
@ -0,0 +1,198 @@
@@ -0,0 +1,198 @@
|
||||
diff --git a/ctdb.te b/ctdb.te |
||||
index 47199aa..ac0508e 100644 |
||||
--- a/ctdb.te |
||||
+++ b/ctdb.te |
||||
@@ -97,9 +97,12 @@ corenet_udp_bind_ctdb_port(ctdbd_t) |
||||
corenet_tcp_bind_smbd_port(ctdbd_t) |
||||
corenet_tcp_connect_ctdb_port(ctdbd_t) |
||||
corenet_tcp_sendrecv_ctdb_port(ctdbd_t) |
||||
+corenet_tcp_connect_gluster_port(ctdbd_t) |
||||
+corenet_tcp_connect_nfs_port(ctdbd_t) |
||||
|
||||
corecmd_exec_bin(ctdbd_t) |
||||
corecmd_exec_shell(ctdbd_t) |
||||
+corecmd_getattr_all_executables(ctdbd_t) |
||||
|
||||
dev_read_sysfs(ctdbd_t) |
||||
dev_read_urand(ctdbd_t) |
||||
@@ -131,6 +134,12 @@ optional_policy(` |
||||
') |
||||
|
||||
optional_policy(` |
||||
+ rpc_domtrans_rpcd(ctdbd_t) |
||||
+ rpc_manage_nfs_state_data_dir(ctdbd_t) |
||||
+ rpc_read_nfs_state_data(ctdbd_t) |
||||
+') |
||||
+ |
||||
+optional_policy(` |
||||
samba_signull_smbd(ctdbd_t) |
||||
samba_initrc_domtrans(ctdbd_t) |
||||
samba_domtrans_net(ctdbd_t) |
||||
diff --git a/glusterd.fc b/glusterd.fc |
||||
index 52b4110..a3633cd 100644 |
||||
--- a/glusterd.fc |
||||
+++ b/glusterd.fc |
||||
@@ -6,6 +6,13 @@ |
||||
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
||||
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
|
||||
+/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
+/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
+ |
||||
+ |
||||
+/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
+/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
+ |
||||
/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
|
||||
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||
diff --git a/glusterd.te b/glusterd.te |
||||
index 48811e2..a8877f7 100644 |
||||
--- a/glusterd.te |
||||
+++ b/glusterd.te |
||||
@@ -59,7 +59,7 @@ files_type(glusterd_brick_t) |
||||
# Local policy |
||||
# |
||||
|
||||
-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; |
||||
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; |
||||
|
||||
allow glusterd_t self:capability2 block_suspend; |
||||
allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; |
||||
@@ -132,6 +132,7 @@ corenet_raw_bind_generic_node(glusterd_t) |
||||
|
||||
corenet_tcp_connect_gluster_port(glusterd_t) |
||||
corenet_tcp_bind_gluster_port(glusterd_t) |
||||
+corenet_udp_bind_gluster_port(glusterd_t) |
||||
|
||||
# replacement for rpc.mountd |
||||
corenet_sendrecv_all_server_packets(glusterd_t) |
||||
@@ -155,6 +156,7 @@ corenet_tcp_connect_all_ports(glusterd_t) |
||||
dev_read_sysfs(glusterd_t) |
||||
dev_read_urand(glusterd_t) |
||||
dev_read_rand(glusterd_t) |
||||
+dev_rw_infiniband_dev(glusterd_t) |
||||
|
||||
domain_read_all_domains_state(glusterd_t) |
||||
domain_getattr_all_sockets(glusterd_t) |
||||
@@ -164,6 +166,7 @@ domain_use_interactive_fds(glusterd_t) |
||||
fs_mount_all_fs(glusterd_t) |
||||
fs_unmount_all_fs(glusterd_t) |
||||
fs_getattr_all_fs(glusterd_t) |
||||
+fs_getattr_all_dirs(glusterd_t) |
||||
|
||||
files_mounton_non_security(glusterd_t) |
||||
|
||||
@@ -185,6 +188,7 @@ init_read_script_state(glusterd_t) |
||||
init_rw_script_tmp_files(glusterd_t) |
||||
init_manage_script_status_files(glusterd_t) |
||||
init_status(glusterd_t) |
||||
+init_stop_transient_unit(glusterd_t) |
||||
|
||||
systemd_config_systemd_services(glusterd_t) |
||||
systemd_signal_passwd_agent(glusterd_t) |
||||
@@ -203,6 +207,7 @@ userdom_read_user_tmp_files(glusterd_t) |
||||
userdom_delete_user_tmp_files(glusterd_t) |
||||
userdom_rw_user_tmp_files(glusterd_t) |
||||
userdom_kill_all_users(glusterd_t) |
||||
+userdom_signal_unpriv_users(glusterd_t) |
||||
|
||||
mount_domtrans(glusterd_t) |
||||
|
||||
diff --git a/openvswitch.te b/openvswitch.te |
||||
index ed109d3..42cb208 100644 |
||||
--- a/openvswitch.te |
||||
+++ b/openvswitch.te |
||||
@@ -100,6 +100,8 @@ auth_use_nsswitch(openvswitch_t) |
||||
|
||||
logging_send_syslog_msg(openvswitch_t) |
||||
|
||||
+init_read_script_state(openvswitch_t) |
||||
+ |
||||
modutils_exec_insmod(openvswitch_t) |
||||
modutils_list_module_config(openvswitch_t) |
||||
modutils_read_module_config(openvswitch_t) |
||||
@@ -108,6 +110,10 @@ modutils_read_module_deps(openvswitch_t) |
||||
sysnet_dns_name_resolve(openvswitch_t) |
||||
|
||||
optional_policy(` |
||||
+ hostname_exec(openvswitch_t) |
||||
+') |
||||
+ |
||||
+optional_policy(` |
||||
iptables_domtrans(openvswitch_t) |
||||
') |
||||
|
||||
diff --git a/puppet.te b/puppet.te |
||||
index b80cb1e..46a4b5d 100644 |
||||
--- a/puppet.te |
||||
+++ b/puppet.te |
||||
@@ -354,6 +354,7 @@ optional_policy(` |
||||
') |
||||
|
||||
optional_policy(` |
||||
+ systemd_dbus_chat_timedated(puppetagent_t) |
||||
systemd_dbus_chat_timedated(puppetmaster_t) |
||||
') |
||||
|
||||
diff --git a/rhcs.te b/rhcs.te |
||||
index ce1ca24..4c9f2b6 100644 |
||||
--- a/rhcs.te |
||||
+++ b/rhcs.te |
||||
@@ -275,6 +275,10 @@ optional_policy(` |
||||
') |
||||
|
||||
optional_policy(` |
||||
+ fprintd_dbus_chat(cluster_t) |
||||
+') |
||||
+ |
||||
+optional_policy(` |
||||
ldap_systemctl(cluster_t) |
||||
') |
||||
|
||||
diff --git a/sssd.te b/sssd.te |
||||
index 87e70a6..6130385 100644 |
||||
--- a/sssd.te |
||||
+++ b/sssd.te |
||||
@@ -43,7 +43,7 @@ role system_r types sssd_selinux_manager_t; |
||||
|
||||
allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; |
||||
allow sssd_t self:capability2 block_suspend; |
||||
-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; |
||||
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid}; |
||||
allow sssd_t self:fifo_file rw_fifo_file_perms; |
||||
allow sssd_t self:key manage_key_perms; |
||||
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
||||
diff --git a/virt.if b/virt.if |
||||
index 2397aeb..17156a6 100644 |
||||
--- a/virt.if |
||||
+++ b/virt.if |
||||
@@ -1408,6 +1408,8 @@ interface(`virt_transition_svirt_sandbox',` |
||||
role $2 types svirt_sandbox_domain; |
||||
allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; |
||||
|
||||
+ allow svirt_sandbox_domain $1:fd use; |
||||
+ |
||||
allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; |
||||
allow svirt_sandbox_domain $1:process sigchld; |
||||
ps_process_pattern($1, svirt_sandbox_domain) |
||||
diff --git a/virt.te b/virt.te |
||||
index 69333cf..6dd64f3 100644 |
||||
--- a/virt.te |
||||
+++ b/virt.te |
||||
@@ -1316,6 +1316,7 @@ kernel_list_all_proc(svirt_sandbox_domain) |
||||
kernel_read_all_proc(svirt_sandbox_domain) |
||||
kernel_read_all_sysctls(svirt_sandbox_domain) |
||||
kernel_read_net_sysctls(svirt_sandbox_domain) |
||||
+kernel_rw_unix_sysctls(svirt_sandbox_domain) |
||||
kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) |
||||
kernel_dontaudit_access_check_proc(svirt_sandbox_domain) |
||||
kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) |
||||
@@ -1470,6 +1471,7 @@ allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; |
||||
|
||||
kernel_read_irq_sysctls(svirt_lxc_net_t) |
||||
kernel_read_messages(svirt_lxc_net_t) |
||||
+kernel_rw_usermodehelper_state(svirt_lxc_net_t) |
||||
|
||||
dev_read_sysfs(svirt_lxc_net_t) |
||||
dev_read_mtrr(svirt_lxc_net_t) |
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
diff --git a/snapper.te b/snapper.te |
||||
index faf4fc9fca..fda6e0b289 100644 |
||||
--- a/snapper.te |
||||
+++ b/snapper.te |
||||
@@ -22,6 +22,8 @@ files_type(snapperd_data_t) |
||||
# |
||||
# snapperd local policy |
||||
# |
||||
+allow snapperd_t self:capability { dac_read_search fowner sys_admin }; |
||||
+allow snapperd_t self:process setsched; |
||||
|
||||
allow snapperd_t self:fifo_file rw_fifo_file_perms; |
||||
allow snapperd_t self:unix_stream_socket create_stream_socket_perms; |
||||
@@ -36,8 +38,12 @@ manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) |
||||
manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||
manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||
manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||
+allow snapperd_t snapperd_data_t:file relabelfrom; |
||||
+allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton }; |
||||
snapper_filetrans_named_content(snapperd_t) |
||||
|
||||
+kernel_setsched(snapperd_t) |
||||
+ |
||||
domain_read_all_domains_state(snapperd_t) |
||||
|
||||
corecmd_exec_shell(snapperd_t) |
||||
@@ -51,6 +57,8 @@ files_read_all_files(snapperd_t) |
||||
files_list_all(snapperd_t) |
||||
|
||||
fs_getattr_all_fs(snapperd_t) |
||||
+fs_mount_xattr_fs(snapperd_t) |
||||
+fs_unmount_xattr_fs(snapperd_t) |
||||
|
||||
storage_raw_read_fixed_disk(snapperd_t) |
||||
|
Loading…
Reference in new issue