Re: [Kimchi-devel] [PATCH 1/2] SELinux policy to allow nginx and kimchid.
On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
From: Paulo Vital <pvital(a)linux.vnet.ibm.com>
Add selinux/kimchid.te describing the SELinux policy to allow nginx
and kimchid.
Signed-off-by: Paulo Vital <pvital(a)linux.vnet.ibm.com>
---
Makefile.am | 1 +
selinux/kimchid.te | 20 ++++++++++++++++++++
You can put under /src with the other config files
You also need to update the spec files to properly install this file.
2 files changed, 21 insertions(+)
create mode 100644 selinux/kimchid.te
diff --git a/Makefile.am b/Makefile.am
index 0740438..6a31cd7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,6 +31,7 @@ EXTRA_DIST = \
CONTRIBUTE.md \
VERSION \
build-aux/pkg-version \
+ selinux/kimchid.te \
$(NULL)
diff --git a/selinux/kimchid.te b/selinux/kimchid.te
new file mode 100644
index 0000000..36c20ea
--- /dev/null
+++ b/selinux/kimchid.te
@@ -0,0 +1,20 @@
+module kimchid 1.0.1;
+require {
+ type var_run_t;
+ type httpd_t;
+ type unreserved_port_t;
+ type soundd_port_t;
+ class tcp_socket { name_bind name_connect };
+ class file unlink;
+}
+
+#============= httpd_t ==============
+allow httpd_t soundd_port_t:tcp_socket name_bind;
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t unreserved_port_t:tcp_socket name_bind;
+
+#!!!! This avc can be allowed using one of the these booleans:
+# nis_enabled, httpd_can_network_connect
+allow httpd_t unreserved_port_t:tcp_socket name_connect;
+allow httpd_t var_run_t:file unlink;