From 815b8ef16a2e06040b2ea2c06e49d40d7e4298af Mon Sep 17 00:00:00 2001 From: Miroslav Date: Oct 19 2011 08:59:16 +0000 Subject: * Wed Oct 19 2011 Miroslav Grepl 3.10.0-43 - Add policies for nova openstack --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 937665a..8f079c6 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2472,3 +2472,17 @@ cfengine = module # polipo # polipo = module + +# Layer: services +# Module: nova +# +# openstack-nova +# +nova = module + +# Layer: services +# Module: rabbitmq +# +# rabbitmq daemons +# +rabbitmq = module diff --git a/policy-F16.patch b/policy-F16.patch index 36e9c27..af52c93 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1891,10 +1891,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..f0dbe88 +index 0000000..7da376a --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,276 @@ +@@ -0,0 +1,310 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -2058,6 +2058,40 @@ index 0000000..f0dbe88 +') + +optional_policy(` ++ gen_require(` ++ type nova_ajax_t; ++ type nova_api_t; ++ type nova_compute_t; ++ type nova_direct_t; ++ type nova_network_t; ++ type nova_objectstore_t; ++ type nova_scheduler_t; ++ type nova_vncproxy_t; ++ type nova_volume_t; ++ ') ++ ++ permissive nova_ajax_t; ++ permissive nova_api_t; ++ permissive nova_compute_t; ++ permissive nova_direct_t; ++ permissive nova_network_t; ++ permissive nova_objectstore_t; ++ permissive nova_scheduler_t; ++ permissive nova_vncproxy_t; ++ permissive nova_volume_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type rabbitmq_epmd_t; ++ type rabbitmq_beam_t; ++ ') ++ ++ permissive rabbitmq_epmd_t; ++ permissive rabbitmq_beam_t; ++') ++ ++optional_policy(` + gen_require(` + type sblim_gatherd_t; + ') @@ -34248,10 +34282,43 @@ index b886676..ab3af9c 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if -index 9bd812b..1bef72c 100644 +index 9bd812b..982c0ea 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if -@@ -41,6 +41,29 @@ interface(`dnsmasq_initrc_domtrans',` +@@ -10,7 +10,6 @@ + ## + ## + # +-# + interface(`dnsmasq_domtrans',` + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; +@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',` + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) + ') + ++####################################### ++## ++## Execute dnsmasq server in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`dnsmasq_exec',` ++ gen_require(` ++ type dnsmasq_exec_t; ++ ') ++ ++ can_exec($1, dnsmasq_exec_t) ++') ++ + ######################################## + ## + ## Execute the dnsmasq init script in the init script domain. +@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## @@ -34281,7 +34348,7 @@ index 9bd812b..1bef72c 100644 ## Send dnsmasq a signal ## ## -@@ -101,9 +124,9 @@ interface(`dnsmasq_kill',` +@@ -101,9 +141,9 @@ interface(`dnsmasq_kill',` ## Read dnsmasq config files. ## ## @@ -34293,7 +34360,7 @@ index 9bd812b..1bef72c 100644 ## # interface(`dnsmasq_read_config',` -@@ -120,9 +143,9 @@ interface(`dnsmasq_read_config',` +@@ -120,9 +160,9 @@ interface(`dnsmasq_read_config',` ## Write to dnsmasq config files. ## ## @@ -34305,7 +34372,7 @@ index 9bd812b..1bef72c 100644 ## # interface(`dnsmasq_write_config',` -@@ -144,12 +167,12 @@ interface(`dnsmasq_write_config',` +@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',` ## ## # @@ -34319,7 +34386,7 @@ index 9bd812b..1bef72c 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -163,17 +186,80 @@ interface(`dnsmasq_delete_pid_files',` +@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',` ## ## # @@ -34401,7 +34468,7 @@ index 9bd812b..1bef72c 100644 ## All of the rules required to administrate ## an dnsmasq environment ## -@@ -208,4 +294,6 @@ interface(`dnsmasq_admin',` +@@ -208,4 +311,6 @@ interface(`dnsmasq_admin',` files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -44940,6 +45007,368 @@ index 4876cae..eabed96 100644 allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc +new file mode 100644 +index 0000000..4af11e2 +--- /dev/null ++++ b/policy/modules/services/nova.fc +@@ -0,0 +1,17 @@ ++ ++ ++/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0) ++#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0) ++/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0) ++/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0) ++/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0) ++/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0) ++/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0) ++/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0) ++/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0) ++ ++/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0) ++ ++/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0) ++ ++/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) +diff --git a/policy/modules/services/nova.if b/policy/modules/services/nova.if +new file mode 100644 +index 0000000..ac0e1e6 +--- /dev/null ++++ b/policy/modules/services/nova.if +@@ -0,0 +1,30 @@ ++## openstack-nova ++ ++####################################### ++## ++## Creates types and rules for a basic ++## openstack-nova systemd daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`nova_domain_template',` ++ gen_require(` ++ attribute nova_domain; ++ ') ++ ++ type nova_$1_t, nova_domain; ++ type nova_$1_exec_t; ++ init_daemon_domain(nova_$1_t, nova_$1_exec_t) ++ ++ type nova_$1_tmp_t; ++ files_tmp_file(nova_$1_tmp_t) ++ ++ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) ++ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t) ++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir }) ++ can_exec(nova_$1_t, nova_$1_tmp_t) ++') +diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te +new file mode 100644 +index 0000000..49acffa +--- /dev/null ++++ b/policy/modules/services/nova.te +@@ -0,0 +1,297 @@ ++policy_module(nova, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++# ++# nova-stack daemons contain security issue with using sudo in the code ++# we make this policy as unconfined until this issue is fixed ++# ++ ++attribute nova_domain; ++ ++nova_domain_template(ajax) ++nova_domain_template(api) ++nova_domain_template(compute) ++nova_domain_template(direct) ++nova_domain_template(network) ++nova_domain_template(objectstore) ++nova_domain_template(scheduler) ++nova_domain_template(vncproxy) ++nova_domain_template(volume) ++ ++type nova_log_t; ++logging_log_file(nova_log_t) ++ ++type nova_var_lib_t; ++files_type(nova_var_lib_t) ++ ++type nova_var_run_t; ++files_pid_file(nova_var_run_t) ++ ++ ++###################################### ++# ++# nova general domain local policy ++# ++ ++allow nova_domain self:fifo_file rw_fifo_file_perms; ++allow nova_domain self:tcp_socket create_stream_socket_perms; ++allow nova_domain self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t) ++manage_files_pattern(nova_domain, nova_log_t, nova_log_t) ++ ++manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) ++manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t) ++ ++manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t) ++manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t) ++ ++kernel_read_system_state(nova_domain) ++ ++corenet_tcp_connect_amqp_port(nova_domain) ++ ++corecmd_exec_bin(nova_domain) ++corecmd_exec_shell(nova_domain) ++ ++dev_read_urand(nova_domain) ++ ++fs_getattr_xattr_fs(nova_domain) ++ ++files_read_usr_files(nova_domain) ++ ++libs_exec_ldconfig(nova_domain) ++ ++files_read_etc_files(nova_domain) ++ ++miscfiles_read_localization(nova_domain) ++ ++optional_policy(` ++ sysnet_read_config(nova_domain) ++') ++ ++###################################### ++# ++# nova ajax local policy ++# ++ ++optional_policy(` ++ unconfined_domain(nova_ajax_t) ++') ++ ++####################################### ++# ++# nova api local policy ++# ++ ++allow nova_api_t self:process setfscreate; ++ ++allow nova_api_t self:netlink_route_socket r_netlink_socket_perms; ++ ++allow nova_api_t self:udp_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(nova_api_t) ++ ++corenet_tcp_bind_generic_node(nova_api_t) ++corenet_udp_bind_generic_node(nova_api_t) ++# should be add to booleans ++corenet_tcp_connect_all_ports(nova_api_t) ++corenet_tcp_bind_all_unreserved_ports(nova_api_t) ++ ++logging_send_syslog_msg(nova_api_t) ++ ++miscfiles_read_certs(nova_api_t) ++ ++ifdef(`hide_broken_symptoms',` ++ optional_policy(` ++ sudo_exec(nova_api_t) ++ allow nova_api_t self:capability { setuid sys_resource setgid }; ++ allow nova_api_t self:process { setsched setrlimit }; ++ logging_send_audit_msgs(nova_api_t) ++ ') ++') ++ ++optional_policy(` ++ iptables_domtrans(nova_api_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(nova_api_t) ++') ++ ++optional_policy(` ++ unconfined_domain(nova_api_t) ++') ++ ++####################################### ++# ++# nova compute local policy ++# ++ ++# needs to be re-write since now runs as virtd_t ++ ++allow nova_compute_t self:udp_socket create_socket_perms; ++ ++kernel_read_network_state(nova_compute_t) ++ ++dev_read_rand(nova_compute_t) ++ ++dev_read_sysfs(nova_compute_t) ++ ++optional_policy(` ++ virt_getattr_exec(nova_compute_t) ++ virt_stream_connect(nova_compute_t) ++') ++ ++ ++####################################### ++# ++# nova direct local policy ++# ++ ++optional_policy(` ++ unconfined_domain(nova_direct_t) ++') ++ ++####################################### ++# ++# nova network local policy ++# ++ ++allow nova_network_t self:capability { dac_override net_admin net_bind_service }; ++allow nova_network_t self:process { getcap setcap }; ++ ++allow nova_network_t self:netlink_route_socket r_netlink_socket_perms; ++allow nova_network_t self:udp_socket create_socket_perms; ++ ++kernel_read_network_state(nova_network_t) ++kernel_read_kernel_sysctls(nova_network_t) ++ ++# should be added to boolean or fixed in the code ++# dnsmasq domtrans does not work since then dnsmasq_t wants ++# to do some stuff with nova_lib, nova_tmp ++# nova-dhcpbridge runs in dnsmasq domain ++corenet_all_recvfrom_unlabeled(nova_network_t) ++corenet_all_recvfrom_netlabel(nova_network_t) ++corenet_tcp_sendrecv_generic_if(nova_network_t) ++corenet_udp_sendrecv_generic_if(nova_network_t) ++corenet_raw_sendrecv_generic_if(nova_network_t) ++corenet_tcp_sendrecv_generic_node(nova_network_t) ++corenet_udp_sendrecv_generic_node(nova_network_t) ++corenet_raw_sendrecv_generic_node(nova_network_t) ++corenet_tcp_sendrecv_all_ports(nova_network_t) ++corenet_udp_sendrecv_all_ports(nova_network_t) ++corenet_tcp_bind_generic_node(nova_network_t) ++corenet_udp_bind_generic_node(nova_network_t) ++corenet_tcp_bind_dns_port(nova_network_t) ++corenet_udp_bind_all_ports(nova_network_t) ++corenet_sendrecv_dns_server_packets(nova_network_t) ++corenet_sendrecv_dhcpd_server_packets(nova_network_t) ++ ++libs_exec_ldconfig(nova_network_t) ++ ++logging_send_syslog_msg(nova_network_t) ++ ++ifdef(`hide_broken_symptoms',` ++ optional_policy(` ++ sudo_exec(nova_network_t) ++ allow nova_network_t self:capability { setuid sys_resource setgid }; ++ allow nova_network_t self:process { setsched setrlimit }; ++ logging_send_audit_msgs(nova_network_t) ++ ') ++') ++ ++optional_policy(` ++ brctl_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ dnsmasq_exec(nova_network_t) ++# dnsmasq_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(nova_network_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(nova_network_t) ++') ++ ++optional_policy(` ++ unconfined_domain(nova_network_t) ++') ++ ++####################################### ++# ++# nova object store local policy ++# ++ ++allow nova_objectstore_t self:udp_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(nova_objectstore_t) ++corenet_udp_bind_generic_node(nova_objectstore_t) ++ ++optional_policy(` ++ unconfined_domain(nova_objectstore_t) ++') ++ ++####################################### ++# ++# nova scheduler local policy ++# ++ ++allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms; ++allow nova_scheduler_t self:udp_socket create_socket_perms; ++ ++optional_policy(` ++ unconfined_domain(nova_scheduler_t) ++') ++ ++####################################### ++# ++# nova vncproxy local policy ++# ++ ++optional_policy(` ++ unconfined_domain(nova_vncproxy_t) ++') ++ ++####################################### ++# ++# nova volume local policy ++# ++ ++allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms; ++ ++allow nova_volume_t self:udp_socket create_socket_perms; ++ ++kernel_read_kernel_sysctls(nova_volume_t) ++ ++logging_send_syslog_msg(nova_volume_t) ++ ++optional_policy(` ++ lvm_domtrans(nova_volume_t) ++') ++ ++ifdef(`hide_broken_symptoms',` ++ require { ++ type sudo_exec_t; ++ } ++ ++ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans }; ++ ++ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write }; ++ allow nova_volume_t self:process { setsched setrlimit }; ++ ++ logging_send_audit_msgs(nova_volume_t) ++ ++') ++ ++optional_policy(` ++ unconfined_domain(nova_volume_t) ++') ++ diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 85188dc..56dd1f0 100644 --- a/policy/modules/services/nscd.if @@ -50902,6 +51331,140 @@ index cb7ecb5..3df1532 100644 + matahari_manage_lib_files(qpidd_t) + matahari_manage_pid_files(qpidd_t) +') +diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc +new file mode 100644 +index 0000000..7908e1d +--- /dev/null ++++ b/policy/modules/services/rabbitmq.fc +@@ -0,0 +1,7 @@ ++ ++/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) ++/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) ++#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0) ++ ++/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) ++/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) +diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if +new file mode 100644 +index 0000000..f15d8c3 +--- /dev/null ++++ b/policy/modules/services/rabbitmq.if +@@ -0,0 +1,23 @@ ++ ++## policy for rabbitmq ++ ++ ++######################################## ++## ++## Transition to rabbitmq. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rabbitmq_domtrans',` ++ gen_require(` ++ type rabbitmq_t, rabbitmq_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) ++') ++ +diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te +new file mode 100644 +index 0000000..55aaca1 +--- /dev/null ++++ b/policy/modules/services/rabbitmq.te +@@ -0,0 +1,86 @@ ++policy_module(rabbitmq, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rabbitmq_epmd_t; ++type rabbitmq_epmd_exec_t; ++init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t) ++ ++type rabbitmq_beam_t; ++type rabbitmq_beam_exec_t; ++init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t) ++ ++type rabbitmq_var_lib_t; ++files_type(rabbitmq_var_lib_t) ++ ++type rabbitmq_var_log_t; ++logging_log_file(rabbitmq_var_log_t) ++ ++###################################### ++# ++# beam local policy ++# ++ ++allow rabbitmq_beam_t self:process { setsched signal signull }; ++ ++allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms; ++allow rabbitmq_beam_t self:tcp_socket { accept listen }; ++ ++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) ++ ++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) ++ ++can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) ++ ++kernel_read_system_state(rabbitmq_beam_t) ++ ++corecmd_exec_bin(rabbitmq_beam_t) ++corecmd_exec_shell(rabbitmq_beam_t) ++ ++corenet_tcp_bind_generic_node(rabbitmq_beam_t) ++corenet_udp_bind_generic_node(rabbitmq_beam_t) ++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) ++corenet_tcp_bind_amqp_port(rabbitmq_beam_t) ++corenet_tcp_connect_epmd_port(rabbitmq_beam_t) ++ ++dev_read_sysfs(rabbitmq_beam_t) ++ ++files_read_etc_files(rabbitmq_beam_t) ++ ++miscfiles_read_localization(rabbitmq_beam_t) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(rabbitmq_beam_t) ++') ++ ++######################################## ++# ++# epmd local policy ++# ++ ++domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) ++ ++allow rabbitmq_epmd_t self:process { signal }; ++ ++allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; ++allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; ++allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++# should be append ++allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms; ++ ++corenet_tcp_bind_generic_node(rabbitmq_epmd_t) ++corenet_udp_bind_generic_node(rabbitmq_epmd_t) ++corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) ++ ++files_read_etc_files(rabbitmq_epmd_t) ++ ++logging_send_syslog_msg(rabbitmq_epmd_t) ++ ++miscfiles_read_localization(rabbitmq_epmd_t) ++ diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index b1ed1bf..124971d 100644 --- a/policy/modules/services/radius.te @@ -71502,7 +72065,7 @@ index 34d0ec5..767ccbd 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..9eaa38e +index 0000000..db57bc7 --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,19 @@ @@ -71522,8 +72085,8 @@ index 0000000..9eaa38e +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) +/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) -+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) ++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 @@ -72011,10 +72574,10 @@ index 0000000..f642930 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..5c36a9d +index 0000000..a906f40 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,373 @@ +@@ -0,0 +1,369 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -72049,6 +72612,9 @@ index 0000000..5c36a9d +type systemd_passwd_agent_exec_t; +init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) + ++type systemd_passwd_var_run_t alias systemd_device_t; ++files_pid_file(systemd_passwd_var_run_t) ++ +# domain for systemd-tmpfiles component +type systemd_tmpfiles_t; +type systemd_tmpfiles_exec_t; @@ -72066,13 +72632,6 @@ index 0000000..5c36a9d +type systemd_systemctl_exec_t; +corecmd_executable_file(systemd_systemctl_exec_t) + -+# -+# Type for systemd pipes in /dev/.systemd/ directory -+# -+type systemd_device_t; -+files_type(systemd_device_t) -+dev_associate(systemd_device_t) -+ +####################################### +# +# Systemd_logind local policy @@ -72170,9 +72729,9 @@ index 0000000..5c36a9d +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + -+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms; -+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file) -+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file) ++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file }) + +kernel_stream_connect(systemd_passwd_agent_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 19b507e..c949e76 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 42%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Oct 19 2011 Miroslav Grepl 3.10.0-43 +- Add policies for nova openstack + * Mon Oct 18 2011 Miroslav Grepl 3.10.0-42 - Add fixes for nova-stack policy