Fabian Deutsch has uploaded a new change for review. Change subject: selinux: Further updates ......................................................................
selinux: Further updates Change-Id: I87908879b71f1049c37bca876f441415e1a1323d Signed-off-by: Fabian Deutsch <[email protected]> --- M ovirt-node.spec.in M semodule/ovirt.te.in 2 files changed, 30 insertions(+), 7 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/44/22544/1 diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in index a4b4975..ac9c998 100644 --- a/ovirt-node.spec.in +++ b/ovirt-node.spec.in @@ -238,6 +238,7 @@ done # Is this to greedy? /sbin/restorecon -R / || : +/usr/sbin/fixfiles -R -a restore # set SELinux booleans # rhbz#502779 restrict certain memory protection operations diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in index d1deafc..4bccd58 100644 --- a/semodule/ovirt.te.in +++ b/semodule/ovirt.te.in @@ -6,6 +6,7 @@ @SYSTEMD_COMMENT@ type systemd_unit_file_t; type collectd_t; type etc_t; + type getty_t; type initrc_t; type initrc_tmp_t; type init_t; @@ -23,12 +24,14 @@ type sshd_net_t; type sshd_t; type svirt_t; + type syslogd_t; type sysstat_t; type systemd_localed_t; type systemd_unit_file_t; type tuned_t; type unconfined_t; type var_log_t; + type var_lib_t; type virt_cache_t; type virtd_exec_t; type virtd_t; @@ -37,6 +40,7 @@ ') #============= collectd_t ============== +@COLLECTD_COMMENT@allow collectd_t initrc_t:unix_stream_socket connectto; @COLLECTD_COMMENT@allow collectd_t passwd_file_t:file { open read }; @COLLECTD_COMMENT@allow collectd_t virtd_exec_t:file getattr; @COLLECTD_COMMENT@allow collectd_t virt_etc_t:file read; @@ -49,27 +53,45 @@ @SYSTEMD_COMMENT@allow systemd_localed_t systemd_unit_file_t:service start; @SYSTEMD_COMMENT@allow systemd_localed_t ovirt_t:dbus send_msg; -#============= misc ============== -allow mount_t shadow_t:file mounton; -allow setfiles_t net_conf_t:file read; -allow loadkeys_t initrc_tmp_t:file read; -allow policykit_t ovirt_t:dbus send_msg; -allow sshd_net_t initrc_t:process sigchld; -allow sysstat_t var_log_t:file open; +#============= getty_t ============== +allow getty_t var_log_t:file open; #============= initrc_t ============== allow initrc_t sshd_net_t:process dyntransition; allow initrc_t unconfined_t:process dyntransition; + +#============= loadkeys_t ============== +allow loadkeys_t initrc_tmp_t:file read; #============= local_login_t ============== allow local_login_t var_log_t:file { open write create read lock }; #============= logrotate_t ============== allow logrotate_t virt_cache_t:dir read; +allow logrotate_t var_lib_t:file write; + +#============= mount_t ============== +allow mount_t shadow_t:file mounton; + +#============= policykit_t ============== +allow policykit_t ovirt_t:dbus send_msg; + +#============= setfiles_t ============== +allow setfiles_t net_conf_t:file read; + +#============= sshd_t ============== +allow sshd_net_t initrc_t:process sigchld; #============= svirt_t ============== allow svirt_t initrc_t:unix_stream_socket connectto; +#============= syslogd_t ============== +allow syslogd_t var_lib_t:file { write getattr open }; + +#============= sysstat_t ============== +allow sysstat_t var_lib_t:file { read append }; +allow sysstat_t var_log_t:file open; + #============= tuned_t ============== allow tuned_t ovirt_t:dbus send_msg; -- To view, visit http://gerrit.ovirt.org/22544 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I87908879b71f1049c37bca876f441415e1a1323d Gerrit-PatchSet: 1 Gerrit-Project: ovirt-node Gerrit-Branch: node-3.0 Gerrit-Owner: Fabian Deutsch <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
