[node-patches] Change in ovirt-node[node-3.0]: selinux: Further updates

[fabiand at fedoraproject.org]

Fabian Deutsch has uploaded a new change for review.

Change subject: selinux: Further updates
......................................................................

selinux: Further updates

Change-Id: I87908879b71f1049c37bca876f441415e1a1323d
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M ovirt-node.spec.in
M semodule/ovirt.te.in
2 files changed, 30 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/44/22544/1

diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index a4b4975..ac9c998 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -238,6 +238,7 @@
 done
 # Is this to greedy?
 /sbin/restorecon -R / || :
+/usr/sbin/fixfiles -R -a restore
 
 # set SELinux booleans
 # rhbz#502779 restrict certain memory protection operations
diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index d1deafc..4bccd58 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -6,6 +6,7 @@
 @SYSTEMD_COMMENT@    type systemd_unit_file_t;
     type collectd_t;
     type etc_t;
+    type getty_t;
     type initrc_t;
     type initrc_tmp_t;
     type init_t;
@@ -23,12 +24,14 @@
     type sshd_net_t;
     type sshd_t;
     type svirt_t;
+    type syslogd_t;
     type sysstat_t;
     type systemd_localed_t;
     type systemd_unit_file_t;
     type tuned_t;
     type unconfined_t;
     type var_log_t;
+    type var_lib_t;
     type virt_cache_t;
     type virtd_exec_t;
     type virtd_t;
@@ -37,6 +40,7 @@
 ')
 
 #============= collectd_t ==============
+ at COLLECTD_COMMENT@allow collectd_t initrc_t:unix_stream_socket connectto;
 @COLLECTD_COMMENT at allow collectd_t passwd_file_t:file { open read };
 @COLLECTD_COMMENT at allow collectd_t virtd_exec_t:file getattr;
 @COLLECTD_COMMENT at allow collectd_t virt_etc_t:file read;
@@ -49,27 +53,45 @@
 @SYSTEMD_COMMENT at allow systemd_localed_t systemd_unit_file_t:service start;
 @SYSTEMD_COMMENT at allow systemd_localed_t ovirt_t:dbus send_msg;
 
-#============= misc ==============
-allow mount_t shadow_t:file mounton;
-allow setfiles_t net_conf_t:file read;
-allow loadkeys_t initrc_tmp_t:file read;
-allow policykit_t ovirt_t:dbus send_msg;
-allow sshd_net_t initrc_t:process sigchld;
-allow sysstat_t var_log_t:file open;
+#============= getty_t ==============
+allow getty_t var_log_t:file open;
 
 #============= initrc_t ==============
 allow initrc_t sshd_net_t:process dyntransition;
 allow initrc_t unconfined_t:process dyntransition;
+
+#============= loadkeys_t ==============
+allow loadkeys_t initrc_tmp_t:file read;
 
 #============= local_login_t ==============
 allow local_login_t var_log_t:file { open write create read lock };
 
 #============= logrotate_t ==============
 allow logrotate_t virt_cache_t:dir read;
+allow logrotate_t var_lib_t:file write;
+
+#============= mount_t ==============
+allow mount_t shadow_t:file mounton;
+
+#============= policykit_t ==============
+allow policykit_t ovirt_t:dbus send_msg;
+
+#============= setfiles_t ==============
+allow setfiles_t net_conf_t:file read;
+
+#============= sshd_t ==============
+allow sshd_net_t initrc_t:process sigchld;
 
 #============= svirt_t ==============
 allow svirt_t initrc_t:unix_stream_socket connectto;
 
+#============= syslogd_t ==============
+allow syslogd_t var_lib_t:file { write getattr open };
+
+#============= sysstat_t ==============
+allow sysstat_t var_lib_t:file { read append };
+allow sysstat_t var_log_t:file open;
+
 #============= tuned_t ==============
 allow tuned_t ovirt_t:dbus send_msg;
 


-- 
To view, visit http://gerrit.ovirt.org/22544
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I87908879b71f1049c37bca876f441415e1a1323d
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: node-3.0
Gerrit-Owner: Fabian Deutsch <fabiand at fedoraproject.org>