On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
From: Paulo Vital <pvital@linux.vnet.ibm.com>
Add selinux/kimchid.te describing the SELinux policy to allow nginx and kimchid.
Signed-off-by: Paulo Vital <pvital@linux.vnet.ibm.com> --- Makefile.am | 1 + selinux/kimchid.te | 20 ++++++++++++++++++++
You can put under /src with the other config files You also need to update the spec files to properly install this file.
2 files changed, 21 insertions(+) create mode 100644 selinux/kimchid.te
diff --git a/Makefile.am b/Makefile.am index 0740438..6a31cd7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,6 +31,7 @@ EXTRA_DIST = \ CONTRIBUTE.md \ VERSION \ build-aux/pkg-version \ + selinux/kimchid.te \ $(NULL)
diff --git a/selinux/kimchid.te b/selinux/kimchid.te new file mode 100644 index 0000000..36c20ea --- /dev/null +++ b/selinux/kimchid.te @@ -0,0 +1,20 @@ +module kimchid 1.0.1; +require { + type var_run_t; + type httpd_t; + type unreserved_port_t; + type soundd_port_t; + class tcp_socket { name_bind name_connect }; + class file unlink; +} + +#============= httpd_t ============== +allow httpd_t soundd_port_t:tcp_socket name_bind; + +#!!!! This avc is allowed in the current policy +allow httpd_t unreserved_port_t:tcp_socket name_bind; + +#!!!! This avc can be allowed using one of the these booleans: +# nis_enabled, httpd_can_network_connect +allow httpd_t unreserved_port_t:tcp_socket name_connect; +allow httpd_t var_run_t:file unlink;