[node-patches] Change in ovirt-node[master]: semodule: Add new rules

fabiand at fedoraproject.org fabiand at fedoraproject.org
Wed Feb 26 18:42:31 UTC 2014


Fabian Deutsch has uploaded a new change for review.

Change subject: semodule: Add new rules
......................................................................

semodule: Add new rules

Change-Id: I0c899ca8fd1d2c17c50de4706dd7c10c8272f309
Signed-off-by: Fabian Deutsch <fabiand at redhat.com>
---
M semodule/ovirt.te.in
1 file changed, 237 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/10/25110/1

diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index c919b03..f91b484 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -54,8 +54,6 @@
 @SEMODULE_WITH_SYSTEMD at allow systemd_localed_t systemd_unit_file_t:service start;
 @SEMODULE_WITH_SYSTEMD at allow systemd_localed_t ovirt_t:dbus send_msg;
 
-#============= getty_t ==============
-allow getty_t var_log_t:file open;
 
 #============= hald_t ==============
 optional_policy(`
@@ -65,56 +63,290 @@
     allow hald_t ovirt_t:dbus send_msg;
 ')
 
+
 #============= initrc_t ==============
 @SEMODULE_WITH_SYSTEMD at allow initrc_t sshd_net_t:process dyntransition;
 allow initrc_t unconfined_t:process dyntransition;
 
+
 #============= loadkeys_t ==============
 allow loadkeys_t initrc_tmp_t:file read;
 
+
 #============= local_login_t ==============
+require {
+    type local_login_t;
+}
 allow local_login_t var_log_t:file { open write create read lock };
 allow local_login_t var_log_t:dir { write add_name };
+allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
+allow local_login_t unconfined_t:process { siginh noatsecure };
+
 
 #============= logrotate_t ==============
 allow logrotate_t virt_cache_t:dir read;
 allow logrotate_t var_lib_t:file write;
 
+
 #============= mount_t ==============
 allow mount_t shadow_t:file mounton;
 allow mount_t unlabeled_t:filesystem remount;
 
+
 #============= policykit_t ==============
 allow policykit_t ovirt_t:dbus send_msg;
 
+
 #============= setfiles_t ==============
+require {
+    type dhcpc_t;
+}
 allow setfiles_t initrc_tmp_t:file append;
 allow setfiles_t net_conf_t:file read;
+allow setfiles_t dhcpc_t:udp_socket { read write };
+
 
 #============= sshd_t ==============
 @SEMODULE_WITH_SYSTEMD at allow sshd_net_t initrc_t:process sigchld;
 allow sshd_t var_log_t:file { read open };
 
+
 #============= svirt_t ==============
 allow svirt_t initrc_t:unix_stream_socket connectto;
 allow svirt_t sanlock_t:unix_stream_socket connectto;
 
+
 #============= syslogd_t ==============
 allow syslogd_t var_lib_t:file { write getattr open };
 
+
 #============= sysstat_t ==============
+require {
+    type sysstat_t;
+    type admin_home_t;
+}
+allow sysstat_t tmpfs_t:dir search;
+allow sysstat_t admin_home_t:dir { search getattr };
 allow sysstat_t var_lib_t:file { read append };
-allow sysstat_t var_log_t:file open;
+allow sysstat_t var_log_t:file { open read };
+
 
 #============= tuned_t ==============
 allow tuned_t ovirt_t:dbus send_msg;
 
+
+#============= iscsid_t ==============
 # Remove this block once the bug is solved
 # Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1025401
-#============= iscsid_t ==============
 allow iscsid_t iscsi_var_lib_t:dir { write remove_name create add_name rmdir };
 allow iscsid_t iscsi_var_lib_t:file { write create unlink };
 allow iscsid_t iscsi_var_lib_t:lnk_file { create unlink };
+
+
+#============= dhcpc_t ==============
+optional_policy(`
+    require {
+        type dhcpc_t;
+        type tmpfs_t;
+        type user_tmpfs_t;
+    }
+    allow dhcpc_t tmpfs_t:dir { write add_name read };
+    allow dhcpc_t tmpfs_t:file { write create open getattr };
+    allow dhcpc_t user_tmpfs_t:file { read getattr open };
+')
+
+optional_policy(`
+    require {
+        type dhcpc_t;
+        type ifconfig_t;
+        type netutils_t;
+        type setfiles_t;
+    }
+    allow dhcpc_t ifconfig_t:process { siginh rlimitinh noatsecure };
+    allow dhcpc_t netutils_t:process { siginh rlimitinh noatsecure };
+    allow dhcpc_t setfiles_t:process { siginh rlimitinh noatsecure };
+')
+
+
+#============= hostname_t ==============
+require {
+    type hostname_t;
+}
+allow hostname_t tmpfs_t:dir search;
+
+
+#============= systemd_sysctl_t ==============
+optional_policy(`
+    require {
+        type systemd_sysctl_t;
+        type tmpfs_t;
+    }
+    allow systemd_sysctl_t tmpfs_t:dir { getattr search };
+')
+
+
+#============= systemd_passwd_agent_t ==============
+require {
+    type systemd_passwd_agent_t;
+}
+allow systemd_passwd_agent_t tmpfs_t:dir search;
+
+
+#============= systemd_localed_t ==============
+optional_policy(`
+    require {
+        type systemd_localed_t;
+        type tmpfs_t;
+        type security_t;
+    }
+    allow systemd_localed_t tmpfs_t:dir { write remove_name add_name search };
+    allow systemd_localed_t security_t:file { open read };
+')
+
+#============= irqbalance_t ==============
+optional_policy(`
+    require {
+        type irqbalance_t;
+        type tmpfs_t;
+    }
+    allow irqbalance_t tmpfs_t:dir search;
+')
+
+#============= ksmtuned_t ==============
+optional_policy(`
+    require {
+        type ksmtuned_t;
+        type tmpfs_t;
+    }
+    allow ksmtuned_t tmpfs_t:dir search;
+')
+
+#============= mcelog_t ==============
+optional_policy(`
+    require {
+        type mcelog_t;
+        type tmpfs_t;
+    }
+    allow mcelog_t tmpfs_t:dir search;
+')
+
+#============= ntpd_t ==============
+optional_policy(`
+    require {
+        type ntpd_t;
+        type init_tmp_t;
+    }
+    allow ntpd_t init_tmp_t:dir { write add_name remove_name };
+    allow ntpd_t init_tmp_t:file { create open unlink write };
+')
+
+
+
+
+
+
+#============= dmesg_t ==============
+require {
+type dmesg_t;
+type tmpfs_t;
+}
+allow dmesg_t tmpfs_t:dir search;
+
+
+#============= iptables_t ==============
+require {
+    type iptables_t;
+    type insmod_t;
+    type tmpfs_t;
+}
+allow iptables_t tmpfs_t:dir search;
+allow iptables_t insmod_t:process { siginh rlimitinh noatsecure };
+
+
+#============= rpcbind_t ==============
+require {
+    type rpcbind_t;
+}
+allow rpcbind_t self:udp_socket listen;
+
+optional_policy(`
+    require {
+        type rpcbind_t;
+        type tmpfs_t;
+    }
+    allow rpcbind_t tmpfs_t:dir search;
+')
+
+#============= rpcd_t ==============
+require {
+    type rpcd_t;
+}
+allow rpcd_t self:udp_socket listen;
+
+#============= ssh_keygen_t ==============
+require {
+    type ssh_keygen_t;
+}
+allow ssh_keygen_t tmpfs_t:dir search;
+
+
+#============= chkpwd_t ==============
+require {
+type chkpwd_t;
+type tty_device_t;
+}
+allow chkpwd_t tty_device_t:chr_file { read write };
+allow chkpwd_t tmpfs_t:dir search;
+
+
+#============= getty_t ==============
+require {
+type getty_t;
+}
+allow getty_t local_login_t:process { siginh rlimitinh noatsecure };
+allow getty_t var_log_t:file { open write };
+allow getty_t tmpfs_t:dir search;
+
+#============= ifconfig_t ==============
+require {
+    type ifconfig_t;
+}
+allow ifconfig_t dhcpc_t:udp_socket { read write };
+allow ifconfig_t tmpfs_t:dir search;
+
+
+#============= netutils_t ==============
+require {
+    type netutils_t;
+}
+allow netutils_t dhcpc_t:udp_socket { read write };
+allow netutils_t tmpfs_t:dir search;
+
+
+#============= sshd_keygen_t ==============
+optional_policy(`
+    require {
+        type sshd_keygen_t;
+        type tmpfs_t;
+    }
+    allow sshd_keygen_t tmpfs_t:dir { search };
+')
+require {
+    type sshd_keygen_t;
+    type ssh_keygen_t;
+}
+allow sshd_keygen_t setfiles_t:process { siginh rlimitinh noatsecure };
+allow sshd_keygen_t ssh_keygen_t:process { siginh rlimitinh noatsecure };
+
+
+#============= mandb_t ==============
+require {
+    type mandb_t;
+}
+allow mandb_t admin_home_t:dir search;
+
+
+
 
 
 type ovirt_t;
@@ -122,3 +354,4 @@
 init_daemon_domain(ovirt_t, ovirt_exec_t)
 unconfined_domain(ovirt_t)
 unconfined_domain(mount_t)
+


-- 
To view, visit http://gerrit.ovirt.org/25110
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0c899ca8fd1d2c17c50de4706dd7c10c8272f309
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at fedoraproject.org>



More information about the node-patches mailing list