[selinux-policy: 2402/3172] Ccs patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:33:12 UTC 2010
commit 3fb2b72c65cdc49a9b3c41e032dde049ae01ecb9
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Feb 16 11:28:08 2010 -0500
Ccs patch from Dan Walsh.
policy/modules/services/ccs.fc | 8 ++------
policy/modules/services/ccs.te | 32 ++++++++++++++++++--------------
2 files changed, 20 insertions(+), 20 deletions(-)
---
diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc
index 0ec5ba1..8a7177d 100644
--- a/policy/modules/services/ccs.fc
+++ b/policy/modules/services/ccs.fc
@@ -2,9 +2,5 @@
/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
-/usr/sbin/aisexec -- gen_context(system_u:object_r:ccs_exec_t,s0)
-
-/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0)
-
-/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
-/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 1e0ecd1..b7e76be 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -1,5 +1,5 @@
-policy_module(ccs, 1.4.0)
+policy_module(ccs, 1.4.1)
########################################
#
@@ -10,23 +10,21 @@ type ccs_t;
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
-# conf files
type cluster_conf_t;
files_type(cluster_conf_t)
-# tmp files
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
-# log files
-type ccs_var_log_t;
-logging_log_file(ccs_var_log_t)
+type ccs_tmpfs_t;
+files_tmpfs_file(ccs_tmpfs_t)
-# var lib files
type ccs_var_lib_t;
logging_log_file(ccs_var_lib_t)
-# pid files
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
type ccs_var_run_t;
files_pid_file(ccs_var_run_t)
@@ -35,7 +33,7 @@ files_pid_file(ccs_var_run_t)
# ccs local policy
#
-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
@@ -55,17 +53,20 @@ manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
-# log files
-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-allow ccs_t ccs_var_log_t:dir setattr;
-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
# var lib files
manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+allow ccs_t ccs_var_log_t:dir setattr;
+manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+
# pid file
manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
@@ -104,6 +105,9 @@ miscfiles_read_localization(ccs_t)
sysnet_dns_name_resolve(ccs_t)
+userdom_manage_unpriv_user_shared_mem(ccs_t)
+userdom_manage_unpriv_user_semaphores(ccs_t)
+
ifdef(`hide_broken_symptoms', `
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
More information about the scm-commits
mailing list