commit: 8fff7fea29cd303fb618520b0d792e6ee0cbf0a7 Author: Dave Sugar <dsugar <AT> tresys <DOT> com> AuthorDate: Sat Sep 26 19:07:30 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Mon Nov 16 09:03:43 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fff7fea
Allow pacemaker to map/read/write corosync shared memory files Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/corosync.if | 19 +++++++++++++++++++ policy/modules/services/pacemaker.te | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index f86dbed3..ee54bc9a 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -97,6 +97,25 @@ interface(`corosync_stream_connect',` stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t) ') +###################################### +## <summary> +## Memmap, read and write corosync tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corosync_mmap_rw_tmpfs',` + gen_require(` + type corosync_tmpfs_t; + ') + + fs_search_tmpfs($1) + mmap_rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) +') + ###################################### ## <summary> ## Read and write corosync tmpfs files. diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te index 70d976ea..69d619a1 100644 --- a/policy/modules/services/pacemaker.te +++ b/policy/modules/services/pacemaker.te @@ -121,6 +121,7 @@ tunable_policy(`pacemaker_startstop_all_services',` optional_policy(` corosync_read_log(pacemaker_t) + corosync_mmap_rw_tmpfs(pacemaker_t) corosync_stream_connect(pacemaker_t) ')