[node-patches] Change in ovirt-node[master]: selinux: Update rules

fabiand at redhat.com fabiand at redhat.com
Mon Aug 11 12:16:00 UTC 2014 

Fabian Deutsch has uploaded a new change for review.

Change subject: selinux: Update rules
......................................................................

selinux: Update rules

Change-Id: I33bbe4300084b9bbf181467da4e2621b271457a5
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1128116
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1128122
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1128128
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M semodule/ovirt.te.in
1 file changed, 28 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/28/31328/1

diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index d747b89..8d9ef7e 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -14,6 +14,7 @@
 @SEMODULE_WITH_SYSTEMD@    type sshd_net_t;
 @SEMODULE_WITH_SYSTEMD@    type systemd_localed_t;
 @SEMODULE_WITH_SYSTEMD@    type systemd_unit_file_t;
+    type file_t;
     type getty_t;
     type initrc_t;
     type initrc_tmp_t;
@@ -85,15 +86,18 @@
 require {
     type local_login_t;
 }
+allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
+allow local_login_t file_t:dir { write search add_name };
+allow local_login_t file_t:file { read write create open };
+allow local_login_t unconfined_t:process { siginh noatsecure };
 allow local_login_t var_log_t:file { open write create read lock };
 allow local_login_t var_log_t:dir { write add_name };
-allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
-allow local_login_t unconfined_t:process { siginh noatsecure };
 
 
 #============= logrotate_t ==============
-allow logrotate_t virt_cache_t:dir { read getattr };
+allow logrotate_t file_t:dir read;
 allow logrotate_t var_lib_t:file write;
+allow logrotate_t virt_cache_t:dir { read getattr };
 
 
 #============= mount_t ==============
@@ -103,6 +107,10 @@
 
 #============= policykit_t ==============
 allow policykit_t ovirt_t:dbus send_msg;
+
+
+#============= sanlock_t ==============
+allow sanlock_t file_t:dir search;
 
 
 #============= setfiles_t ==============
@@ -126,6 +134,7 @@
 
 #============= syslogd_t ==============
 allow syslogd_t var_lib_t:file { write getattr open };
+allow syslogd_t file_t:file { ioctl open getattr append };
 
 
 #============= sysstat_t ==============
@@ -167,6 +176,7 @@
         type tmpfs_t;
         type user_tmpfs_t;
     }
+    allow dhcpc_t file_t:file { read write getattr open ioctl };
     allow dhcpc_t tmpfs_t:dir { write add_name read };
     allow dhcpc_t tmpfs_t:file { write create open getattr };
     allow dhcpc_t user_tmpfs_t:file { read getattr open };
@@ -190,6 +200,7 @@
     type hostname_t;
 }
 allow hostname_t tmpfs_t:dir search;
+allow hostname_t file_t:file open;
 
 
 #============= systemd_sysctl_t ==============
@@ -229,6 +240,7 @@
     allow irqbalance_t tmpfs_t:dir search;
 ')
 
+
 #============= ksmtuned_t ==============
 optional_policy(`
     require {
@@ -237,6 +249,7 @@
     }
     allow ksmtuned_t tmpfs_t:dir search;
 ')
+
 
 #============= mcelog_t ==============
 optional_policy(`
@@ -247,19 +260,20 @@
     allow mcelog_t tmpfs_t:dir search;
 ')
 
+
 #============= ntpd_t ==============
+require {
+    type ntpd_t;
+}
+allow ntpd_t file_t:file { read getattr open };
+
 optional_policy(`
     require {
-        type ntpd_t;
         type init_tmp_t;
     }
     allow ntpd_t init_tmp_t:dir { write add_name remove_name };
     allow ntpd_t init_tmp_t:file { create open unlink write };
 ')
-
-
-
-
 
 
 #============= dmesg_t ==============
@@ -294,11 +308,14 @@
     allow rpcbind_t tmpfs_t:dir search;
 ')
 
+
 #============= rpcd_t ==============
 require {
     type rpcd_t;
 }
 allow rpcd_t self:udp_socket listen;
+allow rpcd_t file_t:file { read getattr open };
+
 
 #============= ssh_keygen_t ==============
 require {
@@ -370,8 +387,9 @@
 
 
 
-
-
+#
+# Transitions
+#
 type ovirt_t;
 type ovirt_exec_t;
 init_daemon_domain(ovirt_t, ovirt_exec_t)


-- 
To view, visit http://gerrit.ovirt.org/31328
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I33bbe4300084b9bbf181467da4e2621b271457a5
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>

More information about the node-patches mailing list