[node-patches] Change in ovirt-node[master]: selinux: More additional rules for el7

[fabiand at redhat.com]

Fabian Deutsch has uploaded a new change for review.

Change subject: selinux: More additional rules for el7
......................................................................

selinux: More additional rules for el7

Change-Id: I01d0eee4706155911dbfaecf247b5ec767989e6c
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M semodule/ovirt.te.in
1 file changed, 9 insertions(+), 7 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/12/33412/1

diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index 3e3ebf4..5c92300 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -77,6 +77,8 @@
 
 #============= sanlock_t ==============
 allow sanlock_t tmpfs_t:dir search;
+allow sanlock_t auditd_log_t:dir search;
+allow sanlock_t auditd_log_t:file { read getattr open append };
 
 
 #============= systemd_localed_t ==============
@@ -123,7 +125,12 @@
 require {
     type local_login_t;
 }
+allow local_login_t auditd_log_t:dir { search write add_name };
+allow local_login_t auditd_log_t:file { write lock create open read };
 allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
+allow local_login_t passwd_file_t:file write;
+allow local_login_t shadow_t:file { write rename create unlink setattr };
+allow local_login_t tmpfs_t:dir { write remove_name add_name };
 allow local_login_t var_log_t:file { open write create read lock };
 allow local_login_t var_log_t:dir { write add_name };
 
@@ -179,7 +186,7 @@
 
 #============= syslogd_t ==============
 allow syslogd_t var_lib_t:file { write getattr open };
-allow syslogd_t auditd_log_t:dir { write add_name };
+allow syslogd_t auditd_log_t:dir { search write add_name };
 allow syslogd_t auditd_log_t:file { ioctl open create append getattr };
 
 
@@ -416,6 +423,7 @@
 allow getty_t var_log_t:file { open write };
 allow getty_t tmpfs_t:dir search;
 allow getty_t auditd_log_t:file { write lock open };
+allow getty_t auditd_log_t:dir search;
 
 
 
@@ -464,12 +472,6 @@
     }
     allow mandb_t admin_home_t:dir search;
 ')
-
-
-#============= local_login_t ==============
-allow local_login_t var_log_t:file { open write create read lock };
-allow local_login_t auditd_log_t:dir { write add_name };
-allow local_login_t auditd_log_t:file { write lock create open read };
 
 
 #============= logrotate_t ==============


-- 
To view, visit http://gerrit.ovirt.org/33412
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I01d0eee4706155911dbfaecf247b5ec767989e6c
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at redhat.com>