diff --git a/ctdb.if b/ctdb.if index 6b7d687..06895f3 100644 --- a/ctdb.if +++ b/ctdb.if @@ -55,6 +55,23 @@ interface(`ctdbd_signal',` allow $1 ctdbd_t:process signal; ') +####################################### +## +## Allow domain to sigchld ctdbd. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_sigchld',` + gen_require(` + type ctdbd_t; + ') + allow $1 ctdbd_t:process sigchld; +') + ######################################## ## ## Read ctdbd's log files. diff --git a/glusterd.fc b/glusterd.fc index 8c8c6c9..52b4110 100644 --- a/glusterd.fc +++ b/glusterd.fc @@ -6,13 +6,17 @@ /usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) /usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + /opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) /var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) /var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.te b/glusterd.te index b974353..0c149cd 100644 --- a/glusterd.te +++ b/glusterd.te @@ -62,7 +62,7 @@ files_type(glusterd_brick_t) allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; allow glusterd_t self:capability2 block_suspend; -allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; allow glusterd_t self:sem create_sem_perms; allow glusterd_t self:fifo_file rw_fifo_file_perms; allow glusterd_t self:tcp_socket { accept listen }; @@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) allow glusterd_t glusterd_tmp_t:dir mounton; manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -logging_log_filetrans(glusterd_t, glusterd_log_t, dir) +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) @@ -240,12 +238,21 @@ optional_policy(` optional_policy(` policykit_dbus_chat(glusterd_t) ') + + optional_policy(` + unconfined_dbus_chat(glusterd_t) + ') ') optional_policy(` hostname_exec(glusterd_t) ') + +optional_policy(` + kerberos_read_keytab(glusterd_t) +') + optional_policy(` lvm_domtrans(glusterd_t) ') @@ -281,6 +288,7 @@ optional_policy(` rpc_domtrans_nfsd(glusterd_t) rpc_domtrans_rpcd(glusterd_t) rpc_manage_nfs_state_data(glusterd_t) + rpcbind_stream_connect(glusterd_t) ') optional_policy(` diff --git a/openvswitch.te b/openvswitch.te index 1b606d8..2d00be4 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t) # openvswitch local policy # -allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; +allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; allow openvswitch_t self:capability2 block_suspend; allow openvswitch_t self:process { fork setsched setrlimit signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t) fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) +fs_manage_hugetlbfs_files(openvswitch_t) +fs_manage_hugetlbfs_dirs(openvswitch_t) auth_use_nsswitch(openvswitch_t) diff --git a/rhcs.te b/rhcs.te index 2c7b543..e55c17b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -319,6 +319,7 @@ optional_policy(` rpc_domtrans_nfsd(cluster_t) rpc_domtrans_rpcd(cluster_t) rpc_manage_nfs_state_data(cluster_t) + rpc_filetrans_var_lib_nfs_content(cluster_t) ') optional_policy(` diff --git a/rpc.if b/rpc.if index 50f25de..4f3c2b9 100644 --- a/rpc.if +++ b/rpc.if @@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',` allow $1 gssd_t:key { read search setattr view write }; ') +######################################## +## +## Transition to alsa named content +## +## +## +## Domain allowed access. +## +## +# +interface(`rpc_filetrans_var_lib_nfs_content',` + gen_require(` + type var_lib_nfs_t; + ') + + files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") +') + ####################################### ## ## All of the rules required to diff --git a/rpc.te b/rpc.te index 876a4e7..7f491b0 100644 --- a/rpc.te +++ b/rpc.te @@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true) ## gen_tunable(nfsd_anon_write, false) +## +##

+## Allow rpcd_t to manage fuse files +##

+## +gen_tunable(rpcd_use_fusefs, false) + attribute rpc_domain; type exports_t; @@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) + # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) @@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t) userdom_signal_unpriv_users(rpcd_t) userdom_read_user_home_content_files(rpcd_t) +tunable_policy(`rpcd_use_fusefs',` + fs_manage_fusefs_dirs(rpcd_t) + fs_manage_fusefs_files(rpcd_t) + fs_read_fusefs_symlinks(rpcd_t) + fs_getattr_fusefs(rpcd_t) +') + ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) ') diff --git a/samba.te b/samba.te index bf7a710..aac4015 100644 --- a/samba.te +++ b/samba.te @@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t) optional_policy(` ctdbd_stream_connect(smbcontrol_t) + ctdbd_sigchld(smbcontrol_t) ') ########################################