[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Sat, 28 Nov 2020 15:09:36 -0800 

commit:     8fff7fea29cd303fb618520b0d792e6ee0cbf0a7
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Sep 26 19:07:30 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fff7fea

Allow pacemaker to map/read/write corosync shared memory files

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC 
msg=audit(1601145893.104:2915): avc:  denied  { read write } for pid=7173 
comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 
scontext=system_u:system_r:pacemaker_t:s0 
tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC 
msg=audit(1601145893.104:2915): avc:  denied  { open } for  pid=7173 
comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" 
dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 
tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC 
msg=audit(1601145893.104:2916): avc:  denied  { map } for  pid=7173 
comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" 
dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 
tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/corosync.if  | 19 +++++++++++++++++++
 policy/modules/services/pacemaker.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/corosync.if 
b/policy/modules/services/corosync.if
index f86dbed3..ee54bc9a 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -97,6 +97,25 @@ interface(`corosync_stream_connect',`
        stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, 
corosync_t)
 ')
 
+######################################
+## <summary>
+##     Memmap, read and write corosync tmpfs files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`corosync_mmap_rw_tmpfs',`
+       gen_require(`
+               type corosync_tmpfs_t;
+       ')
+
+       fs_search_tmpfs($1)
+       mmap_rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+')
+
 ######################################
 ## <summary>
 ##     Read and write corosync tmpfs files.

diff --git a/policy/modules/services/pacemaker.te 
b/policy/modules/services/pacemaker.te
index 70d976ea..69d619a1 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -121,6 +121,7 @@ tunable_policy(`pacemaker_startstop_all_services',`
 
 optional_policy(`
        corosync_read_log(pacemaker_t)
+       corosync_mmap_rw_tmpfs(pacemaker_t)
        corosync_stream_connect(pacemaker_t)
 ')

Reply via email to