![basebuilder@powerel.org](/assets/img/avatar_default.png)
15 changed files with 521729 additions and 79 deletions
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,29 @@ |
|||||||
|
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
||||||
|
index 2afd2f6..2fc80d1 100644 |
||||||
|
--- a/policy/modules/kernel/filesystem.if |
||||||
|
+++ b/policy/modules/kernel/filesystem.if |
||||||
|
@@ -2633,6 +2633,24 @@ interface(`fs_rw_hugetlbfs_files',` |
||||||
|
|
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
+## Manage hugetlbfs files. |
||||||
|
+## </summary> |
||||||
|
+## <param name="domain"> |
||||||
|
+## <summary> |
||||||
|
+## Domain allowed access. |
||||||
|
+## </summary> |
||||||
|
+## </param> |
||||||
|
+# |
||||||
|
+interface(`fs_manage_hugetlbfs_files',` |
||||||
|
+ gen_require(` |
||||||
|
+ type hugetlbfs_t; |
||||||
|
+ ') |
||||||
|
+ |
||||||
|
+ manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
+######################################## |
||||||
|
+## <summary> |
||||||
|
## Execute hugetlbfs files. |
||||||
|
## </summary> |
||||||
|
## <param name="domain"> |
@ -0,0 +1,222 @@ |
|||||||
|
diff --git a/ctdb.if b/ctdb.if |
||||||
|
index 6b7d687..06895f3 100644 |
||||||
|
--- a/ctdb.if |
||||||
|
+++ b/ctdb.if |
||||||
|
@@ -55,6 +55,23 @@ interface(`ctdbd_signal',` |
||||||
|
allow $1 ctdbd_t:process signal; |
||||||
|
') |
||||||
|
|
||||||
|
+####################################### |
||||||
|
+## <summary> |
||||||
|
+## Allow domain to sigchld ctdbd. |
||||||
|
+## </summary> |
||||||
|
+## <param name="domain"> |
||||||
|
+## <summary> |
||||||
|
+## Domain allowed access. |
||||||
|
+## </summary> |
||||||
|
+## </param> |
||||||
|
+# |
||||||
|
+interface(`ctdbd_sigchld',` |
||||||
|
+ gen_require(` |
||||||
|
+ type ctdbd_t; |
||||||
|
+ ') |
||||||
|
+ allow $1 ctdbd_t:process sigchld; |
||||||
|
+') |
||||||
|
+ |
||||||
|
######################################## |
||||||
|
## <summary> |
||||||
|
## Read ctdbd's log files. |
||||||
|
diff --git a/glusterd.fc b/glusterd.fc |
||||||
|
index 8c8c6c9..52b4110 100644 |
||||||
|
--- a/glusterd.fc |
||||||
|
+++ b/glusterd.fc |
||||||
|
@@ -6,13 +6,17 @@ |
||||||
|
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
||||||
|
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
|
||||||
|
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
+ |
||||||
|
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
|
||||||
|
/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
||||||
|
|
||||||
|
/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
||||||
|
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) |
||||||
|
|
||||||
|
/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||||
|
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||||
|
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||||
|
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||||
|
+/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
||||||
|
diff --git a/glusterd.te b/glusterd.te |
||||||
|
index b974353..0c149cd 100644 |
||||||
|
--- a/glusterd.te |
||||||
|
+++ b/glusterd.te |
||||||
|
@@ -62,7 +62,7 @@ files_type(glusterd_brick_t) |
||||||
|
allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; |
||||||
|
|
||||||
|
allow glusterd_t self:capability2 block_suspend; |
||||||
|
-allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; |
||||||
|
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; |
||||||
|
allow glusterd_t self:sem create_sem_perms; |
||||||
|
allow glusterd_t self:fifo_file rw_fifo_file_perms; |
||||||
|
allow glusterd_t self:tcp_socket { accept listen }; |
||||||
|
@@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) |
||||||
|
allow glusterd_t glusterd_tmp_t:dir mounton; |
||||||
|
|
||||||
|
manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||||
|
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||||
|
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||||
|
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||||
|
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir) |
||||||
|
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
||||||
|
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) |
||||||
|
|
||||||
|
manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
||||||
|
manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
||||||
|
@@ -240,12 +238,21 @@ optional_policy(` |
||||||
|
optional_policy(` |
||||||
|
policykit_dbus_chat(glusterd_t) |
||||||
|
') |
||||||
|
+ |
||||||
|
+ optional_policy(` |
||||||
|
+ unconfined_dbus_chat(glusterd_t) |
||||||
|
+ ') |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
hostname_exec(glusterd_t) |
||||||
|
') |
||||||
|
|
||||||
|
+ |
||||||
|
+optional_policy(` |
||||||
|
+ kerberos_read_keytab(glusterd_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
optional_policy(` |
||||||
|
lvm_domtrans(glusterd_t) |
||||||
|
') |
||||||
|
@@ -281,6 +288,7 @@ optional_policy(` |
||||||
|
rpc_domtrans_nfsd(glusterd_t) |
||||||
|
rpc_domtrans_rpcd(glusterd_t) |
||||||
|
rpc_manage_nfs_state_data(glusterd_t) |
||||||
|
+ rpcbind_stream_connect(glusterd_t) |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
diff --git a/openvswitch.te b/openvswitch.te |
||||||
|
index 1b606d8..2d00be4 100644 |
||||||
|
--- a/openvswitch.te |
||||||
|
+++ b/openvswitch.te |
||||||
|
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t) |
||||||
|
# openvswitch local policy |
||||||
|
# |
||||||
|
|
||||||
|
-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; |
||||||
|
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; |
||||||
|
allow openvswitch_t self:capability2 block_suspend; |
||||||
|
allow openvswitch_t self:process { fork setsched setrlimit signal }; |
||||||
|
allow openvswitch_t self:fifo_file rw_fifo_file_perms; |
||||||
|
@@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t) |
||||||
|
|
||||||
|
fs_getattr_all_fs(openvswitch_t) |
||||||
|
fs_search_cgroup_dirs(openvswitch_t) |
||||||
|
+fs_manage_hugetlbfs_files(openvswitch_t) |
||||||
|
+fs_manage_hugetlbfs_dirs(openvswitch_t) |
||||||
|
|
||||||
|
auth_use_nsswitch(openvswitch_t) |
||||||
|
|
||||||
|
diff --git a/rhcs.te b/rhcs.te |
||||||
|
index 2c7b543..e55c17b 100644 |
||||||
|
--- a/rhcs.te |
||||||
|
+++ b/rhcs.te |
||||||
|
@@ -319,6 +319,7 @@ optional_policy(` |
||||||
|
rpc_domtrans_nfsd(cluster_t) |
||||||
|
rpc_domtrans_rpcd(cluster_t) |
||||||
|
rpc_manage_nfs_state_data(cluster_t) |
||||||
|
+ rpc_filetrans_var_lib_nfs_content(cluster_t) |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
diff --git a/rpc.if b/rpc.if |
||||||
|
index 50f25de..4f3c2b9 100644 |
||||||
|
--- a/rpc.if |
||||||
|
+++ b/rpc.if |
||||||
|
@@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',` |
||||||
|
allow $1 gssd_t:key { read search setattr view write }; |
||||||
|
') |
||||||
|
|
||||||
|
+######################################## |
||||||
|
+## <summary> |
||||||
|
+## Transition to alsa named content |
||||||
|
+## </summary> |
||||||
|
+## <param name="domain"> |
||||||
|
+## <summary> |
||||||
|
+## Domain allowed access. |
||||||
|
+## </summary> |
||||||
|
+## </param> |
||||||
|
+# |
||||||
|
+interface(`rpc_filetrans_var_lib_nfs_content',` |
||||||
|
+ gen_require(` |
||||||
|
+ type var_lib_nfs_t; |
||||||
|
+ ') |
||||||
|
+ |
||||||
|
+ files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") |
||||||
|
+') |
||||||
|
+ |
||||||
|
####################################### |
||||||
|
## <summary> |
||||||
|
## All of the rules required to |
||||||
|
diff --git a/rpc.te b/rpc.te |
||||||
|
index 876a4e7..7f491b0 100644 |
||||||
|
--- a/rpc.te |
||||||
|
+++ b/rpc.te |
||||||
|
@@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true) |
||||||
|
## </desc> |
||||||
|
gen_tunable(nfsd_anon_write, false) |
||||||
|
|
||||||
|
+## <desc> |
||||||
|
+## <p> |
||||||
|
+## Allow rpcd_t to manage fuse files |
||||||
|
+## </p> |
||||||
|
+## </desc> |
||||||
|
+gen_tunable(rpcd_use_fusefs, false) |
||||||
|
+ |
||||||
|
attribute rpc_domain; |
||||||
|
|
||||||
|
type exports_t; |
||||||
|
@@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) |
||||||
|
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) |
||||||
|
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) |
||||||
|
|
||||||
|
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) |
||||||
|
+ |
||||||
|
# rpc.statd executes sm-notify |
||||||
|
can_exec(rpcd_t, rpcd_exec_t) |
||||||
|
|
||||||
|
@@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t) |
||||||
|
userdom_signal_unpriv_users(rpcd_t) |
||||||
|
userdom_read_user_home_content_files(rpcd_t) |
||||||
|
|
||||||
|
+tunable_policy(`rpcd_use_fusefs',` |
||||||
|
+ fs_manage_fusefs_dirs(rpcd_t) |
||||||
|
+ fs_manage_fusefs_files(rpcd_t) |
||||||
|
+ fs_read_fusefs_symlinks(rpcd_t) |
||||||
|
+ fs_getattr_fusefs(rpcd_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
ifdef(`distro_debian',` |
||||||
|
term_dontaudit_use_unallocated_ttys(rpcd_t) |
||||||
|
') |
||||||
|
diff --git a/samba.te b/samba.te |
||||||
|
index bf7a710..aac4015 100644 |
||||||
|
--- a/samba.te |
||||||
|
+++ b/samba.te |
||||||
|
@@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t) |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
ctdbd_stream_connect(smbcontrol_t) |
||||||
|
+ ctdbd_sigchld(smbcontrol_t) |
||||||
|
') |
||||||
|
|
||||||
|
######################################## |
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,13 @@ |
|||||||
|
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in |
||||||
|
index 9d2c142..1c0ed36 100644 |
||||||
|
--- a/policy/modules/kernel/corenetwork.te.in |
||||||
|
+++ b/policy/modules/kernel/corenetwork.te.in |
||||||
|
@@ -172,7 +172,7 @@ network_port(giftd, tcp,1213,s0) |
||||||
|
network_port(git, tcp,9418,s0, udp,9418,s0) |
||||||
|
network_port(glance, tcp,9292,s0, udp,9292,s0) |
||||||
|
network_port(glance_registry, tcp,9191,s0, udp,9191,s0) |
||||||
|
-network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0) |
||||||
|
+network_port(gluster, tcp,24007-24027,s0, udp,24007-24027,s0, tcp, 38465-38469,s0) |
||||||
|
network_port(gopher, tcp,70,s0, udp,70,s0) |
||||||
|
network_port(gpsd, tcp,2947,s0) |
||||||
|
network_port(hadoop_datanode, tcp,50010,s0) |
@ -0,0 +1,198 @@ |
|||||||
|
diff --git a/ctdb.te b/ctdb.te |
||||||
|
index 47199aa..ac0508e 100644 |
||||||
|
--- a/ctdb.te |
||||||
|
+++ b/ctdb.te |
||||||
|
@@ -97,9 +97,12 @@ corenet_udp_bind_ctdb_port(ctdbd_t) |
||||||
|
corenet_tcp_bind_smbd_port(ctdbd_t) |
||||||
|
corenet_tcp_connect_ctdb_port(ctdbd_t) |
||||||
|
corenet_tcp_sendrecv_ctdb_port(ctdbd_t) |
||||||
|
+corenet_tcp_connect_gluster_port(ctdbd_t) |
||||||
|
+corenet_tcp_connect_nfs_port(ctdbd_t) |
||||||
|
|
||||||
|
corecmd_exec_bin(ctdbd_t) |
||||||
|
corecmd_exec_shell(ctdbd_t) |
||||||
|
+corecmd_getattr_all_executables(ctdbd_t) |
||||||
|
|
||||||
|
dev_read_sysfs(ctdbd_t) |
||||||
|
dev_read_urand(ctdbd_t) |
||||||
|
@@ -131,6 +134,12 @@ optional_policy(` |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
+ rpc_domtrans_rpcd(ctdbd_t) |
||||||
|
+ rpc_manage_nfs_state_data_dir(ctdbd_t) |
||||||
|
+ rpc_read_nfs_state_data(ctdbd_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
+optional_policy(` |
||||||
|
samba_signull_smbd(ctdbd_t) |
||||||
|
samba_initrc_domtrans(ctdbd_t) |
||||||
|
samba_domtrans_net(ctdbd_t) |
||||||
|
diff --git a/glusterd.fc b/glusterd.fc |
||||||
|
index 52b4110..a3633cd 100644 |
||||||
|
--- a/glusterd.fc |
||||||
|
+++ b/glusterd.fc |
||||||
|
@@ -6,6 +6,13 @@ |
||||||
|
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
||||||
|
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
|
||||||
|
+/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
+/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
+ |
||||||
|
+ |
||||||
|
+/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
+/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
+ |
||||||
|
/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
|
||||||
|
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
||||||
|
diff --git a/glusterd.te b/glusterd.te |
||||||
|
index 48811e2..a8877f7 100644 |
||||||
|
--- a/glusterd.te |
||||||
|
+++ b/glusterd.te |
||||||
|
@@ -59,7 +59,7 @@ files_type(glusterd_brick_t) |
||||||
|
# Local policy |
||||||
|
# |
||||||
|
|
||||||
|
-allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; |
||||||
|
+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw }; |
||||||
|
|
||||||
|
allow glusterd_t self:capability2 block_suspend; |
||||||
|
allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; |
||||||
|
@@ -132,6 +132,7 @@ corenet_raw_bind_generic_node(glusterd_t) |
||||||
|
|
||||||
|
corenet_tcp_connect_gluster_port(glusterd_t) |
||||||
|
corenet_tcp_bind_gluster_port(glusterd_t) |
||||||
|
+corenet_udp_bind_gluster_port(glusterd_t) |
||||||
|
|
||||||
|
# replacement for rpc.mountd |
||||||
|
corenet_sendrecv_all_server_packets(glusterd_t) |
||||||
|
@@ -155,6 +156,7 @@ corenet_tcp_connect_all_ports(glusterd_t) |
||||||
|
dev_read_sysfs(glusterd_t) |
||||||
|
dev_read_urand(glusterd_t) |
||||||
|
dev_read_rand(glusterd_t) |
||||||
|
+dev_rw_infiniband_dev(glusterd_t) |
||||||
|
|
||||||
|
domain_read_all_domains_state(glusterd_t) |
||||||
|
domain_getattr_all_sockets(glusterd_t) |
||||||
|
@@ -164,6 +166,7 @@ domain_use_interactive_fds(glusterd_t) |
||||||
|
fs_mount_all_fs(glusterd_t) |
||||||
|
fs_unmount_all_fs(glusterd_t) |
||||||
|
fs_getattr_all_fs(glusterd_t) |
||||||
|
+fs_getattr_all_dirs(glusterd_t) |
||||||
|
|
||||||
|
files_mounton_non_security(glusterd_t) |
||||||
|
|
||||||
|
@@ -185,6 +188,7 @@ init_read_script_state(glusterd_t) |
||||||
|
init_rw_script_tmp_files(glusterd_t) |
||||||
|
init_manage_script_status_files(glusterd_t) |
||||||
|
init_status(glusterd_t) |
||||||
|
+init_stop_transient_unit(glusterd_t) |
||||||
|
|
||||||
|
systemd_config_systemd_services(glusterd_t) |
||||||
|
systemd_signal_passwd_agent(glusterd_t) |
||||||
|
@@ -203,6 +207,7 @@ userdom_read_user_tmp_files(glusterd_t) |
||||||
|
userdom_delete_user_tmp_files(glusterd_t) |
||||||
|
userdom_rw_user_tmp_files(glusterd_t) |
||||||
|
userdom_kill_all_users(glusterd_t) |
||||||
|
+userdom_signal_unpriv_users(glusterd_t) |
||||||
|
|
||||||
|
mount_domtrans(glusterd_t) |
||||||
|
|
||||||
|
diff --git a/openvswitch.te b/openvswitch.te |
||||||
|
index ed109d3..42cb208 100644 |
||||||
|
--- a/openvswitch.te |
||||||
|
+++ b/openvswitch.te |
||||||
|
@@ -100,6 +100,8 @@ auth_use_nsswitch(openvswitch_t) |
||||||
|
|
||||||
|
logging_send_syslog_msg(openvswitch_t) |
||||||
|
|
||||||
|
+init_read_script_state(openvswitch_t) |
||||||
|
+ |
||||||
|
modutils_exec_insmod(openvswitch_t) |
||||||
|
modutils_list_module_config(openvswitch_t) |
||||||
|
modutils_read_module_config(openvswitch_t) |
||||||
|
@@ -108,6 +110,10 @@ modutils_read_module_deps(openvswitch_t) |
||||||
|
sysnet_dns_name_resolve(openvswitch_t) |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
+ hostname_exec(openvswitch_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
+optional_policy(` |
||||||
|
iptables_domtrans(openvswitch_t) |
||||||
|
') |
||||||
|
|
||||||
|
diff --git a/puppet.te b/puppet.te |
||||||
|
index b80cb1e..46a4b5d 100644 |
||||||
|
--- a/puppet.te |
||||||
|
+++ b/puppet.te |
||||||
|
@@ -354,6 +354,7 @@ optional_policy(` |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
+ systemd_dbus_chat_timedated(puppetagent_t) |
||||||
|
systemd_dbus_chat_timedated(puppetmaster_t) |
||||||
|
') |
||||||
|
|
||||||
|
diff --git a/rhcs.te b/rhcs.te |
||||||
|
index ce1ca24..4c9f2b6 100644 |
||||||
|
--- a/rhcs.te |
||||||
|
+++ b/rhcs.te |
||||||
|
@@ -275,6 +275,10 @@ optional_policy(` |
||||||
|
') |
||||||
|
|
||||||
|
optional_policy(` |
||||||
|
+ fprintd_dbus_chat(cluster_t) |
||||||
|
+') |
||||||
|
+ |
||||||
|
+optional_policy(` |
||||||
|
ldap_systemctl(cluster_t) |
||||||
|
') |
||||||
|
|
||||||
|
diff --git a/sssd.te b/sssd.te |
||||||
|
index 87e70a6..6130385 100644 |
||||||
|
--- a/sssd.te |
||||||
|
+++ b/sssd.te |
||||||
|
@@ -43,7 +43,7 @@ role system_r types sssd_selinux_manager_t; |
||||||
|
|
||||||
|
allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; |
||||||
|
allow sssd_t self:capability2 block_suspend; |
||||||
|
-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; |
||||||
|
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid}; |
||||||
|
allow sssd_t self:fifo_file rw_fifo_file_perms; |
||||||
|
allow sssd_t self:key manage_key_perms; |
||||||
|
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
||||||
|
diff --git a/virt.if b/virt.if |
||||||
|
index 2397aeb..17156a6 100644 |
||||||
|
--- a/virt.if |
||||||
|
+++ b/virt.if |
||||||
|
@@ -1408,6 +1408,8 @@ interface(`virt_transition_svirt_sandbox',` |
||||||
|
role $2 types svirt_sandbox_domain; |
||||||
|
allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; |
||||||
|
|
||||||
|
+ allow svirt_sandbox_domain $1:fd use; |
||||||
|
+ |
||||||
|
allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; |
||||||
|
allow svirt_sandbox_domain $1:process sigchld; |
||||||
|
ps_process_pattern($1, svirt_sandbox_domain) |
||||||
|
diff --git a/virt.te b/virt.te |
||||||
|
index 69333cf..6dd64f3 100644 |
||||||
|
--- a/virt.te |
||||||
|
+++ b/virt.te |
||||||
|
@@ -1316,6 +1316,7 @@ kernel_list_all_proc(svirt_sandbox_domain) |
||||||
|
kernel_read_all_proc(svirt_sandbox_domain) |
||||||
|
kernel_read_all_sysctls(svirt_sandbox_domain) |
||||||
|
kernel_read_net_sysctls(svirt_sandbox_domain) |
||||||
|
+kernel_rw_unix_sysctls(svirt_sandbox_domain) |
||||||
|
kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) |
||||||
|
kernel_dontaudit_access_check_proc(svirt_sandbox_domain) |
||||||
|
kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) |
||||||
|
@@ -1470,6 +1471,7 @@ allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; |
||||||
|
|
||||||
|
kernel_read_irq_sysctls(svirt_lxc_net_t) |
||||||
|
kernel_read_messages(svirt_lxc_net_t) |
||||||
|
+kernel_rw_usermodehelper_state(svirt_lxc_net_t) |
||||||
|
|
||||||
|
dev_read_sysfs(svirt_lxc_net_t) |
||||||
|
dev_read_mtrr(svirt_lxc_net_t) |
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,35 @@ |
|||||||
|
diff --git a/snapper.te b/snapper.te |
||||||
|
index faf4fc9fca..fda6e0b289 100644 |
||||||
|
--- a/snapper.te |
||||||
|
+++ b/snapper.te |
||||||
|
@@ -22,6 +22,8 @@ files_type(snapperd_data_t) |
||||||
|
# |
||||||
|
# snapperd local policy |
||||||
|
# |
||||||
|
+allow snapperd_t self:capability { dac_read_search fowner sys_admin }; |
||||||
|
+allow snapperd_t self:process setsched; |
||||||
|
|
||||||
|
allow snapperd_t self:fifo_file rw_fifo_file_perms; |
||||||
|
allow snapperd_t self:unix_stream_socket create_stream_socket_perms; |
||||||
|
@@ -36,8 +38,12 @@ manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) |
||||||
|
manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||||
|
manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||||
|
manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) |
||||||
|
+allow snapperd_t snapperd_data_t:file relabelfrom; |
||||||
|
+allow snapperd_t snapperd_data_t:dir { relabelfrom relabelto mounton }; |
||||||
|
snapper_filetrans_named_content(snapperd_t) |
||||||
|
|
||||||
|
+kernel_setsched(snapperd_t) |
||||||
|
+ |
||||||
|
domain_read_all_domains_state(snapperd_t) |
||||||
|
|
||||||
|
corecmd_exec_shell(snapperd_t) |
||||||
|
@@ -51,6 +57,8 @@ files_read_all_files(snapperd_t) |
||||||
|
files_list_all(snapperd_t) |
||||||
|
|
||||||
|
fs_getattr_all_fs(snapperd_t) |
||||||
|
+fs_mount_xattr_fs(snapperd_t) |
||||||
|
+fs_unmount_xattr_fs(snapperd_t) |
||||||
|
|
||||||
|
storage_raw_read_fixed_disk(snapperd_t) |
||||||
|
|
Loading…
Reference in new issue