You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
525 lines
14 KiB
525 lines
14 KiB
diff --git a/cinder.te b/cinder.te |
|
index 488a7a659..a05691d8f 100644 |
|
--- a/cinder.te |
|
+++ b/cinder.te |
|
@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t) |
|
|
|
logging_send_syslog_msg(cinder_volume_t) |
|
|
|
+systemd_dbus_chat_logind(cinder_volume_t) |
|
+ |
|
optional_policy(` |
|
lvm_domtrans(cinder_volume_t) |
|
') |
|
diff --git a/ganesha.fc b/ganesha.fc |
|
new file mode 100644 |
|
index 000000000..c723bfb97 |
|
--- /dev/null |
|
+++ b/ganesha.fc |
|
@@ -0,0 +1,12 @@ |
|
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0) |
|
+ |
|
+/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) |
|
+ |
|
+/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) |
|
+ |
|
+/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) |
|
+ |
|
+/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) |
|
+/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) |
|
+ |
|
+/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) |
|
diff --git a/ganesha.if b/ganesha.if |
|
new file mode 100644 |
|
index 000000000..4c347e5cc |
|
--- /dev/null |
|
+++ b/ganesha.if |
|
@@ -0,0 +1,146 @@ |
|
+## <summary>policy for ganesha</summary> |
|
+ |
|
+######################################## |
|
+## <summary> |
|
+## Execute ganesha_exec_t in the ganesha domain. |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed to transition. |
|
+## </summary> |
|
+## </param> |
|
+# |
|
+interface(`ganesha_domtrans',` |
|
+ gen_require(` |
|
+ type ganesha_t, ganesha_exec_t; |
|
+ ') |
|
+ |
|
+ corecmd_search_bin($1) |
|
+ domtrans_pattern($1, ganesha_exec_t, ganesha_t) |
|
+') |
|
+ |
|
+###################################### |
|
+## <summary> |
|
+## Execute ganesha in the caller domain. |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed access. |
|
+## </summary> |
|
+## </param> |
|
+# |
|
+interface(`ganesha_exec',` |
|
+ gen_require(` |
|
+ type ganesha_exec_t; |
|
+ ') |
|
+ |
|
+ corecmd_search_bin($1) |
|
+ can_exec($1, ganesha_exec_t) |
|
+') |
|
+######################################## |
|
+## <summary> |
|
+## Read ganesha PID files. |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed access. |
|
+## </summary> |
|
+## </param> |
|
+# |
|
+interface(`ganesha_read_pid_files',` |
|
+ gen_require(` |
|
+ type ganesha_var_run_t; |
|
+ ') |
|
+ |
|
+ files_search_pids($1) |
|
+ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t) |
|
+') |
|
+ |
|
+######################################## |
|
+## <summary> |
|
+## Execute ganesha server in the ganesha domain. |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed to transition. |
|
+## </summary> |
|
+## </param> |
|
+# |
|
+interface(`ganesha_systemctl',` |
|
+ gen_require(` |
|
+ type ganesha_t; |
|
+ type ganesha_unit_file_t; |
|
+ ') |
|
+ |
|
+ systemd_exec_systemctl($1) |
|
+ systemd_read_fifo_file_passwd_run($1) |
|
+ allow $1 ganesha_unit_file_t:file read_file_perms; |
|
+ allow $1 ganesha_unit_file_t:service manage_service_perms; |
|
+ |
|
+ ps_process_pattern($1, ganesha_t) |
|
+') |
|
+ |
|
+ |
|
+######################################## |
|
+## <summary> |
|
+## Send and receive messages from |
|
+## ganesha over dbus. |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed access. |
|
+## </summary> |
|
+## </param> |
|
+# |
|
+interface(`ganesha_dbus_chat',` |
|
+ gen_require(` |
|
+ type ganesha_t; |
|
+ class dbus send_msg; |
|
+ ') |
|
+ |
|
+ allow $1 ganesha_t:dbus send_msg; |
|
+ allow ganesha_t $1:dbus send_msg; |
|
+') |
|
+ |
|
+######################################## |
|
+## <summary> |
|
+## All of the rules required to administrate |
|
+## an ganesha environment |
|
+## </summary> |
|
+## <param name="domain"> |
|
+## <summary> |
|
+## Domain allowed access. |
|
+## </summary> |
|
+## </param> |
|
+## <param name="role"> |
|
+## <summary> |
|
+## Role allowed access. |
|
+## </summary> |
|
+## </param> |
|
+## <rolecap/> |
|
+# |
|
+interface(`ganesha_admin',` |
|
+ gen_require(` |
|
+ type ganesha_t; |
|
+ type ganesha_var_run_t; |
|
+ type ganesha_unit_file_t; |
|
+ ') |
|
+ |
|
+ allow $1 ganesha_t:process { signal_perms }; |
|
+ ps_process_pattern($1, ganesha_t) |
|
+ |
|
+ tunable_policy(`deny_ptrace',`',` |
|
+ allow $1 ganesha_t:process ptrace; |
|
+ ') |
|
+ |
|
+ files_search_pids($1) |
|
+ admin_pattern($1, ganesha_var_run_t) |
|
+ |
|
+ ganesha_systemctl($1) |
|
+ admin_pattern($1, ganesha_unit_file_t) |
|
+ allow $1 ganesha_unit_file_t:service all_service_perms; |
|
+ optional_policy(` |
|
+ systemd_passwd_agent_exec($1) |
|
+ systemd_read_fifo_file_passwd_run($1) |
|
+ ') |
|
+') |
|
diff --git a/ganesha.te b/ganesha.te |
|
new file mode 100644 |
|
index 000000000..f25a3f34d |
|
--- /dev/null |
|
+++ b/ganesha.te |
|
@@ -0,0 +1,111 @@ |
|
+policy_module(ganesha, 1.0.0) |
|
+ |
|
+######################################## |
|
+# |
|
+# Declarations |
|
+# |
|
+ |
|
+## <desc> |
|
+## <p> |
|
+## Allow ganesha to read/write fuse files |
|
+## </p> |
|
+## </desc> |
|
+gen_tunable(ganesha_use_fusefs, false) |
|
+ |
|
+type ganesha_t; |
|
+type ganesha_exec_t; |
|
+init_daemon_domain(ganesha_t, ganesha_exec_t) |
|
+ |
|
+type ganesha_var_log_t; |
|
+logging_log_file(ganesha_var_log_t) |
|
+ |
|
+type ganesha_var_run_t; |
|
+files_pid_file(ganesha_var_run_t) |
|
+ |
|
+type ganesha_tmp_t; |
|
+files_tmp_file(ganesha_tmp_t) |
|
+ |
|
+type ganesha_unit_file_t; |
|
+systemd_unit_file(ganesha_unit_file_t) |
|
+ |
|
+######################################## |
|
+# |
|
+# ganesha local policy |
|
+# |
|
+dontaudit ganesha_t self:capability net_admin; |
|
+ |
|
+allow ganesha_t self:capability { dac_read_search dac_override }; |
|
+allow ganesha_t self:capability2 block_suspend; |
|
+allow ganesha_t self:process { setcap setrlimit }; |
|
+allow ganesha_t self:fifo_file rw_fifo_file_perms; |
|
+allow ganesha_t self:unix_stream_socket create_stream_socket_perms; |
|
+allow ganesha_t self:tcp_socket { accept listen }; |
|
+ |
|
+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) |
|
+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) |
|
+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) |
|
+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file }) |
|
+ |
|
+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) |
|
+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) |
|
+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir }) |
|
+ |
|
+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) |
|
+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) |
|
+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir }) |
|
+ |
|
+kernel_read_system_state(ganesha_t) |
|
+kernel_search_network_sysctl(ganesha_t) |
|
+kernel_read_net_sysctls(ganesha_t) |
|
+ |
|
+auth_use_nsswitch(ganesha_t) |
|
+ |
|
+corenet_tcp_bind_nfs_port(ganesha_t) |
|
+corenet_tcp_connect_generic_port(ganesha_t) |
|
+corenet_tcp_connect_gluster_port(ganesha_t) |
|
+corenet_udp_bind_dey_keyneg_port(ganesha_t) |
|
+corenet_tcp_bind_dey_keyneg_port(ganesha_t) |
|
+corenet_udp_bind_nfs_port(ganesha_t) |
|
+corenet_udp_bind_all_rpc_ports(ganesha_t) |
|
+corenet_tcp_bind_all_rpc_ports(ganesha_t) |
|
+corenet_tcp_bind_mountd_port(ganesha_t) |
|
+corenet_udp_bind_mountd_port(ganesha_t) |
|
+corenet_tcp_connect_virt_migration_port(ganesha_t) |
|
+corenet_tcp_connect_all_rpc_ports(ganesha_t) |
|
+ |
|
+dev_rw_infiniband_dev(ganesha_t) |
|
+dev_read_gpfs(ganesha_t) |
|
+dev_read_rand(ganesha_t) |
|
+ |
|
+logging_send_syslog_msg(ganesha_t) |
|
+ |
|
+sysnet_dns_name_resolve(ganesha_t) |
|
+ |
|
+optional_policy(` |
|
+ dbus_system_bus_client(ganesha_t) |
|
+ dbus_connect_system_bus(ganesha_t) |
|
+ unconfined_dbus_chat(ganesha_t) |
|
+') |
|
+ |
|
+optional_policy(` |
|
+ glusterd_read_conf(ganesha_t) |
|
+ glusterd_read_lib_files(ganesha_t) |
|
+ glusterd_manage_pid(ganesha_t) |
|
+') |
|
+ |
|
+optional_policy(` |
|
+ kerberos_read_keytab(ganesha_t) |
|
+') |
|
+ |
|
+optional_policy(` |
|
+ rpc_manage_nfs_state_data_dir(ganesha_t) |
|
+ rpc_read_nfs_state_data(ganesha_t) |
|
+ rpcbind_stream_connect(ganesha_t) |
|
+') |
|
+ |
|
+tunable_policy(`ganesha_use_fusefs',` |
|
+ fs_manage_fusefs_dirs(ganesha_t) |
|
+ fs_manage_fusefs_files(ganesha_t) |
|
+ fs_read_fusefs_symlinks(ganesha_t) |
|
+ fs_getattr_fusefs(ganesha_t) |
|
+') |
|
diff --git a/glusterd.fc b/glusterd.fc |
|
index e42e81f5f..9806f50ae 100644 |
|
--- a/glusterd.fc |
|
+++ b/glusterd.fc |
|
@@ -23,8 +23,3 @@ |
|
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
|
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
|
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) |
|
- |
|
-/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
|
-/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) |
|
-/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0) |
|
- |
|
diff --git a/glusterd.if b/glusterd.if |
|
index a62e355ac..291191f17 100644 |
|
--- a/glusterd.if |
|
+++ b/glusterd.if |
|
@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',` |
|
manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) |
|
manage_files_pattern($1, glusterd_log_t, glusterd_log_t) |
|
manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) |
|
- logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log") |
|
') |
|
|
|
###################################### |
|
diff --git a/glusterd.te b/glusterd.te |
|
index 7804cbaf4..2bcedd014 100644 |
|
--- a/glusterd.te |
|
+++ b/glusterd.te |
|
@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t) |
|
type glusterd_brick_t; |
|
files_type(glusterd_brick_t) |
|
|
|
-typealias glusterd_log_t alias ganesha_var_log_t; |
|
- |
|
######################################## |
|
# |
|
# Local policy |
|
@@ -270,6 +268,11 @@ optional_policy(` |
|
') |
|
') |
|
|
|
+optional_policy(` |
|
+ ganesha_systemctl(glusterd_t) |
|
+ ganesha_dbus_chat(glusterd_t) |
|
+') |
|
+ |
|
optional_policy(` |
|
hostname_exec(glusterd_t) |
|
') |
|
@@ -310,8 +313,8 @@ optional_policy(` |
|
optional_policy(` |
|
rpc_systemctl_nfsd(glusterd_t) |
|
rpc_systemctl_rpcd(glusterd_t) |
|
+ |
|
rpc_domtrans_nfsd(glusterd_t) |
|
- rpc_dbus_chat_nfsd(glusterd_t) |
|
rpc_domtrans_rpcd(glusterd_t) |
|
rpc_manage_nfs_state_data(glusterd_t) |
|
rpc_manage_nfs_state_data_dir(glusterd_t) |
|
diff --git a/nova.te b/nova.te |
|
index 2259a5192..af8dd5527 100644 |
|
--- a/nova.te |
|
+++ b/nova.te |
|
@@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain) |
|
corenet_sendrecv_dhcpd_server_packets(nova_domain) |
|
|
|
auth_use_nsswitch(nova_t) |
|
+auth_use_pam(nova_t) |
|
auth_read_passwd(nova_domain) |
|
|
|
dev_read_sysfs(nova_domain) |
|
@@ -132,7 +133,7 @@ dev_read_rand(nova_domain) |
|
|
|
fs_getattr_all_fs(nova_domain) |
|
|
|
-init_read_utmp(nova_domain) |
|
+init_rw_utmp(nova_domain) |
|
|
|
libs_exec_ldconfig(nova_domain) |
|
|
|
diff --git a/rhcs.te b/rhcs.te |
|
index 0e8b031bb..c029ccd71 100644 |
|
--- a/rhcs.te |
|
+++ b/rhcs.te |
|
@@ -265,7 +265,7 @@ optional_policy(` |
|
') |
|
|
|
optional_policy(` |
|
- rpc_dbus_chat_nfsd(cluster_t) |
|
+ ganesha_dbus_chat(cluster_t) |
|
') |
|
|
|
optional_policy(` |
|
diff --git a/rpc.fc b/rpc.fc |
|
index b08ec8d2d..38a2f0911 100644 |
|
--- a/rpc.fc |
|
+++ b/rpc.fc |
|
@@ -1,5 +1,3 @@ |
|
- |
|
- |
|
# |
|
# /etc |
|
# |
|
@@ -11,10 +9,6 @@ |
|
/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) |
|
/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) |
|
|
|
-/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) |
|
-/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) |
|
-/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) |
|
- |
|
# |
|
# /sbin |
|
# |
|
@@ -33,15 +27,12 @@ |
|
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) |
|
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) |
|
|
|
-/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) |
|
- |
|
# |
|
# /var |
|
# |
|
/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) |
|
|
|
/var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0) |
|
-/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0) |
|
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) |
|
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) |
|
|
|
diff --git a/rpc.if b/rpc.if |
|
index 2ee527f2a..79a2a9c48 100644 |
|
--- a/rpc.if |
|
+++ b/rpc.if |
|
@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',` |
|
|
|
allow $1 gssd_t:process { noatsecure rlimitinh }; |
|
') |
|
- |
|
-######################################## |
|
-## <summary> |
|
-## Send and receive messages from |
|
-## ganesha over dbus. |
|
-## </summary> |
|
-## <param name="domain"> |
|
-## <summary> |
|
-## Domain allowed access. |
|
-## </summary> |
|
-## </param> |
|
-# |
|
-interface(`rpc_dbus_chat_nfsd',` |
|
- gen_require(` |
|
- type nfsd_t; |
|
- class dbus send_msg; |
|
- ') |
|
- |
|
- allow $1 nfsd_t:dbus send_msg; |
|
- allow nfsd_t $1:dbus send_msg; |
|
-') |
|
diff --git a/rpc.te b/rpc.te |
|
index f4df4fda2..f585a7fb5 100644 |
|
--- a/rpc.te |
|
+++ b/rpc.te |
|
@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t) |
|
type var_lib_nfs_t; |
|
files_mountpoint(var_lib_nfs_t) |
|
|
|
-type nfsd_tmp_t; |
|
-files_tmp_file(nfsd_tmp_t) |
|
- |
|
-typealias nfsd_t alias ganesha_t; |
|
-typealias nfsd_exec_t alias ganesha_exec_t; |
|
-typealias nfsd_unit_file_t alias ganesha_unit_file_t; |
|
- |
|
######################################## |
|
# |
|
# Common rpc domain local policy |
|
@@ -234,17 +227,8 @@ optional_policy(` |
|
|
|
allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource }; |
|
|
|
-allow nfsd_t self:process { setcap }; |
|
- |
|
allow nfsd_t exports_t:file read_file_perms; |
|
|
|
-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) |
|
-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) |
|
-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir }) |
|
- |
|
-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t) |
|
-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file }) |
|
- |
|
# for /proc/fs/nfs/exports - should we have a new type? |
|
kernel_read_system_state(nfsd_t) |
|
kernel_read_network_state(nfsd_t) |
|
@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',` |
|
files_read_non_security_files(nfsd_t) |
|
') |
|
|
|
-optional_policy(` |
|
- glusterd_manage_log(nfsd_t) |
|
- glusterd_manage_pid(nfsd_t) |
|
-') |
|
- |
|
-optional_policy(` |
|
- dbus_system_bus_client(nfsd_t) |
|
- dbus_acquire_svc_system_dbusd(nfsd_t) |
|
-') |
|
- |
|
optional_policy(` |
|
mount_exec(nfsd_t) |
|
mount_manage_pid_files(nfsd_t) |
|
diff --git a/sysstat.te b/sysstat.te |
|
index a2690e315..efb2f855c 100644 |
|
--- a/sysstat.te |
|
+++ b/sysstat.te |
|
@@ -44,6 +44,7 @@ dev_read_urand(sysstat_t) |
|
|
|
files_search_var(sysstat_t) |
|
files_read_etc_runtime_files(sysstat_t) |
|
+files_search_all_mountpoints(sysstat_t) |
|
|
|
fs_getattr_all_fs(sysstat_t) |
|
fs_list_inotifyfs(sysstat_t)
|
|
|