[node-patches] Change in ovirt-node[master]: ovirt.te: passwd_file_t rules
dougsland at redhat.com
dougsland at redhat.com
Tue Sep 30 22:40:25 UTC 2014
Douglas Schilling Landgraf has uploaded a new change for review.
Change subject: ovirt.te: passwd_file_t rules
......................................................................
ovirt.te: passwd_file_t rules
Adds required types for passwd_file_t to work both in EL6 and EL7.
Change-Id: I54eaf09cc501b5ce918e4ac1f2586472f46b45a6
Signed-off-by: Douglas Schilling Landgraf <dougsland at redhat.com>
---
M semodule/ovirt.te.in
1 file changed, 19 insertions(+), 9 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/54/33554/1
diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index 5c92300..3e1d80b 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -3,9 +3,7 @@
# Existence of types can be checked at runtime using:
# seinfo -t<type>
gen_require(`
- at SEMODULE_NOT_EL6@ type collectd_t;
@SEMODULE_NOT_EL6@ type NetworkManager_t;
- at SEMODULE_NOT_EL6@ type passwd_file_t;
@SEMODULE_WITH_SYSTEMD@ type systemd_localed_t;
@SEMODULE_WITH_SYSTEMD@ type systemd_unit_file_t;
@SEMODULE_WITH_SYSTEMD@ type systemd_localed_t;
@@ -58,12 +56,18 @@
#============= collectd_t ==============
- at SEMODULE_NOT_EL6@allow collectd_t initrc_t:unix_stream_socket connectto;
- at SEMODULE_NOT_EL6@allow collectd_t passwd_file_t:file { open read };
- at SEMODULE_NOT_EL6@allow collectd_t virtd_exec_t:file getattr;
- at SEMODULE_NOT_EL6@allow collectd_t virt_etc_t:file read;
- at SEMODULE_NOT_EL6@allow collectd_t virt_var_run_t:sock_file write;
- at SEMODULE_NOT_EL6@allow collectd_t virtd_t:unix_stream_socket connectto;
+optional_policy(`
+ require {
+ type collectd_t;
+ type passwd_file_t;
+ }
+ allow collectd_t passwd_file_t:file { open read };
+ allow collectd_t initrc_t:unix_stream_socket connectto;
+ allow collectd_t virtd_exec_t:file getattr;
+ allow collectd_t virt_etc_t:file read;
+ allow collectd_t virt_var_run_t:sock_file write;
+ allow collectd_t virtd_t:unix_stream_socket connectto;
+')
#============= dnsmasq_t ==============
@@ -125,10 +129,16 @@
require {
type local_login_t;
}
+
+optional_policy(`
+ require {
+ type passwd_file_t;
+ }
+ allow local_login_t passwd_file_t:file write;
+')
allow local_login_t auditd_log_t:dir { search write add_name };
allow local_login_t auditd_log_t:file { write lock create open read };
allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
-allow local_login_t passwd_file_t:file write;
allow local_login_t shadow_t:file { write rename create unlink setattr };
allow local_login_t tmpfs_t:dir { write remove_name add_name };
allow local_login_t var_log_t:file { open write create read lock };
--
To view, visit http://gerrit.ovirt.org/33554
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I54eaf09cc501b5ce918e4ac1f2586472f46b45a6
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Douglas Schilling Landgraf <dougsland at redhat.com>
More information about the node-patches
mailing list