[Kimchi-devel] [PATCH 1/2] SELinux policy to allow nginx and kimchid.
Aline Manera
alinefm at linux.vnet.ibm.com
Thu Oct 30 18:34:38 UTC 2014
On 10/30/2014 02:44 PM, Rodrigo Trujillo wrote:
> From: Paulo Vital <pvital at linux.vnet.ibm.com>
>
> Add selinux/kimchid.te describing the SELinux policy to allow nginx
> and kimchid.
>
> Signed-off-by: Paulo Vital <pvital at linux.vnet.ibm.com>
> ---
> Makefile.am | 1 +
> selinux/kimchid.te | 20 ++++++++++++++++++++
You can put under /src with the other config files
You also need to update the spec files to properly install this file.
> 2 files changed, 21 insertions(+)
> create mode 100644 selinux/kimchid.te
>
> diff --git a/Makefile.am b/Makefile.am
> index 0740438..6a31cd7 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -31,6 +31,7 @@ EXTRA_DIST = \
> CONTRIBUTE.md \
> VERSION \
> build-aux/pkg-version \
> + selinux/kimchid.te \
> $(NULL)
>
>
> diff --git a/selinux/kimchid.te b/selinux/kimchid.te
> new file mode 100644
> index 0000000..36c20ea
> --- /dev/null
> +++ b/selinux/kimchid.te
> @@ -0,0 +1,20 @@
> +module kimchid 1.0.1;
> +require {
> + type var_run_t;
> + type httpd_t;
> + type unreserved_port_t;
> + type soundd_port_t;
> + class tcp_socket { name_bind name_connect };
> + class file unlink;
> +}
> +
> +#============= httpd_t ==============
> +allow httpd_t soundd_port_t:tcp_socket name_bind;
> +
> +#!!!! This avc is allowed in the current policy
> +allow httpd_t unreserved_port_t:tcp_socket name_bind;
> +
> +#!!!! This avc can be allowed using one of the these booleans:
> +# nis_enabled, httpd_can_network_connect
> +allow httpd_t unreserved_port_t:tcp_socket name_connect;
> +allow httpd_t var_run_t:file unlink;
More information about the Kimchi-devel
mailing list