[selinux-policy/f16] * Wed Oct 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-43 - Add policies for nova openstack
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 19 08:59:28 UTC 2011
commit 815b8ef16a2e06040b2ea2c06e49d40d7e4298af
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Oct 19 10:59:16 2011 +0200
* Wed Oct 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-43
- Add policies for nova openstack
modules-targeted.conf | 14 ++
policy-F16.patch | 607 +++++++++++++++++++++++++++++++++++++++++++++++--
selinux-policy.spec | 5 +-
3 files changed, 601 insertions(+), 25 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 937665a..8f079c6 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2472,3 +2472,17 @@ cfengine = module
# polipo
#
polipo = module
+
+# Layer: services
+# Module: nova
+#
+# openstack-nova
+#
+nova = module
+
+# Layer: services
+# Module: rabbitmq
+#
+# rabbitmq daemons
+#
+rabbitmq = module
diff --git a/policy-F16.patch b/policy-F16.patch
index 36e9c27..af52c93 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1891,10 +1891,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..f0dbe88
+index 0000000..7da376a
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,310 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -2058,6 +2058,40 @@ index 0000000..f0dbe88
+')
+
+optional_policy(`
++ gen_require(`
++ type nova_ajax_t;
++ type nova_api_t;
++ type nova_compute_t;
++ type nova_direct_t;
++ type nova_network_t;
++ type nova_objectstore_t;
++ type nova_scheduler_t;
++ type nova_vncproxy_t;
++ type nova_volume_t;
++ ')
++
++ permissive nova_ajax_t;
++ permissive nova_api_t;
++ permissive nova_compute_t;
++ permissive nova_direct_t;
++ permissive nova_network_t;
++ permissive nova_objectstore_t;
++ permissive nova_scheduler_t;
++ permissive nova_vncproxy_t;
++ permissive nova_volume_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type rabbitmq_epmd_t;
++ type rabbitmq_beam_t;
++ ')
++
++ permissive rabbitmq_epmd_t;
++ permissive rabbitmq_beam_t;
++')
++
++optional_policy(`
+ gen_require(`
+ type sblim_gatherd_t;
+ ')
@@ -34248,10 +34282,43 @@ index b886676..ab3af9c 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..1bef72c 100644
+index 9bd812b..982c0ea 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
-@@ -41,6 +41,29 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -10,7 +10,6 @@
+ ## </summary>
+ ## </param>
+ #
+-#
+ interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t, dnsmasq_t;
+@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',`
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+ ')
+
++#######################################
++## <summary>
++## Execute dnsmasq server in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_exec',`
++ gen_require(`
++ type dnsmasq_exec_t;
++ ')
++
++ can_exec($1, dnsmasq_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the dnsmasq init script in the init script domain.
+@@ -41,6 +58,29 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
@@ -34281,7 +34348,7 @@ index 9bd812b..1bef72c 100644
## Send dnsmasq a signal
## </summary>
## <param name="domain">
-@@ -101,9 +124,9 @@ interface(`dnsmasq_kill',`
+@@ -101,9 +141,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
@@ -34293,7 +34360,7 @@ index 9bd812b..1bef72c 100644
## </param>
#
interface(`dnsmasq_read_config',`
-@@ -120,9 +143,9 @@ interface(`dnsmasq_read_config',`
+@@ -120,9 +160,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
@@ -34305,7 +34372,7 @@ index 9bd812b..1bef72c 100644
## </param>
#
interface(`dnsmasq_write_config',`
-@@ -144,12 +167,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -34319,7 +34386,7 @@ index 9bd812b..1bef72c 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +186,80 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
@@ -34401,7 +34468,7 @@ index 9bd812b..1bef72c 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -208,4 +294,6 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +311,6 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -44940,6 +45007,368 @@ index 4876cae..eabed96 100644
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
+new file mode 100644
+index 0000000..4af11e2
+--- /dev/null
++++ b/policy/modules/services/nova.fc
+@@ -0,0 +1,17 @@
++
++
++/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
++#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0)
++/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
++/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
++/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
++/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
++/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
++/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
++/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
++
++/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
++
++/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
++
++/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
+diff --git a/policy/modules/services/nova.if b/policy/modules/services/nova.if
+new file mode 100644
+index 0000000..ac0e1e6
+--- /dev/null
++++ b/policy/modules/services/nova.if
+@@ -0,0 +1,30 @@
++## <summary>openstack-nova</summary>
++
++#######################################
++## <summary>
++## Creates types and rules for a basic
++## openstack-nova systemd daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`nova_domain_template',`
++ gen_require(`
++ attribute nova_domain;
++ ')
++
++ type nova_$1_t, nova_domain;
++ type nova_$1_exec_t;
++ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
++
++ type nova_$1_tmp_t;
++ files_tmp_file(nova_$1_tmp_t)
++
++ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
++ can_exec(nova_$1_t, nova_$1_tmp_t)
++')
+diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
+new file mode 100644
+index 0000000..49acffa
+--- /dev/null
++++ b/policy/modules/services/nova.te
+@@ -0,0 +1,297 @@
++policy_module(nova, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++#
++# nova-stack daemons contain security issue with using sudo in the code
++# we make this policy as unconfined until this issue is fixed
++#
++
++attribute nova_domain;
++
++nova_domain_template(ajax)
++nova_domain_template(api)
++nova_domain_template(compute)
++nova_domain_template(direct)
++nova_domain_template(network)
++nova_domain_template(objectstore)
++nova_domain_template(scheduler)
++nova_domain_template(vncproxy)
++nova_domain_template(volume)
++
++type nova_log_t;
++logging_log_file(nova_log_t)
++
++type nova_var_lib_t;
++files_type(nova_var_lib_t)
++
++type nova_var_run_t;
++files_pid_file(nova_var_run_t)
++
++
++######################################
++#
++# nova general domain local policy
++#
++
++allow nova_domain self:fifo_file rw_fifo_file_perms;
++allow nova_domain self:tcp_socket create_stream_socket_perms;
++allow nova_domain self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
++manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
++
++manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
++manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
++
++manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
++manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
++
++kernel_read_system_state(nova_domain)
++
++corenet_tcp_connect_amqp_port(nova_domain)
++
++corecmd_exec_bin(nova_domain)
++corecmd_exec_shell(nova_domain)
++
++dev_read_urand(nova_domain)
++
++fs_getattr_xattr_fs(nova_domain)
++
++files_read_usr_files(nova_domain)
++
++libs_exec_ldconfig(nova_domain)
++
++files_read_etc_files(nova_domain)
++
++miscfiles_read_localization(nova_domain)
++
++optional_policy(`
++ sysnet_read_config(nova_domain)
++')
++
++######################################
++#
++# nova ajax local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_ajax_t)
++')
++
++#######################################
++#
++# nova api local policy
++#
++
++allow nova_api_t self:process setfscreate;
++
++allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow nova_api_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(nova_api_t)
++
++corenet_tcp_bind_generic_node(nova_api_t)
++corenet_udp_bind_generic_node(nova_api_t)
++# should be add to booleans
++corenet_tcp_connect_all_ports(nova_api_t)
++corenet_tcp_bind_all_unreserved_ports(nova_api_t)
++
++logging_send_syslog_msg(nova_api_t)
++
++miscfiles_read_certs(nova_api_t)
++
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_api_t)
++ allow nova_api_t self:capability { setuid sys_resource setgid };
++ allow nova_api_t self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_api_t)
++ ')
++')
++
++optional_policy(`
++ iptables_domtrans(nova_api_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(nova_api_t)
++')
++
++optional_policy(`
++ unconfined_domain(nova_api_t)
++')
++
++#######################################
++#
++# nova compute local policy
++#
++
++# needs to be re-write since now runs as virtd_t
++
++allow nova_compute_t self:udp_socket create_socket_perms;
++
++kernel_read_network_state(nova_compute_t)
++
++dev_read_rand(nova_compute_t)
++
++dev_read_sysfs(nova_compute_t)
++
++optional_policy(`
++ virt_getattr_exec(nova_compute_t)
++ virt_stream_connect(nova_compute_t)
++')
++
++
++#######################################
++#
++# nova direct local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_direct_t)
++')
++
++#######################################
++#
++# nova network local policy
++#
++
++allow nova_network_t self:capability { dac_override net_admin net_bind_service };
++allow nova_network_t self:process { getcap setcap };
++
++allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
++allow nova_network_t self:udp_socket create_socket_perms;
++
++kernel_read_network_state(nova_network_t)
++kernel_read_kernel_sysctls(nova_network_t)
++
++# should be added to boolean or fixed in the code
++# dnsmasq domtrans does not work since then dnsmasq_t wants
++# to do some stuff with nova_lib, nova_tmp
++# nova-dhcpbridge runs in dnsmasq domain
++corenet_all_recvfrom_unlabeled(nova_network_t)
++corenet_all_recvfrom_netlabel(nova_network_t)
++corenet_tcp_sendrecv_generic_if(nova_network_t)
++corenet_udp_sendrecv_generic_if(nova_network_t)
++corenet_raw_sendrecv_generic_if(nova_network_t)
++corenet_tcp_sendrecv_generic_node(nova_network_t)
++corenet_udp_sendrecv_generic_node(nova_network_t)
++corenet_raw_sendrecv_generic_node(nova_network_t)
++corenet_tcp_sendrecv_all_ports(nova_network_t)
++corenet_udp_sendrecv_all_ports(nova_network_t)
++corenet_tcp_bind_generic_node(nova_network_t)
++corenet_udp_bind_generic_node(nova_network_t)
++corenet_tcp_bind_dns_port(nova_network_t)
++corenet_udp_bind_all_ports(nova_network_t)
++corenet_sendrecv_dns_server_packets(nova_network_t)
++corenet_sendrecv_dhcpd_server_packets(nova_network_t)
++
++libs_exec_ldconfig(nova_network_t)
++
++logging_send_syslog_msg(nova_network_t)
++
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ sudo_exec(nova_network_t)
++ allow nova_network_t self:capability { setuid sys_resource setgid };
++ allow nova_network_t self:process { setsched setrlimit };
++ logging_send_audit_msgs(nova_network_t)
++ ')
++')
++
++optional_policy(`
++ brctl_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ dnsmasq_exec(nova_network_t)
++# dnsmasq_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ iptables_domtrans(nova_network_t)
++')
++
++optional_policy(`
++ sysnet_domtrans_ifconfig(nova_network_t)
++')
++
++optional_policy(`
++ unconfined_domain(nova_network_t)
++')
++
++#######################################
++#
++# nova object store local policy
++#
++
++allow nova_objectstore_t self:udp_socket create_socket_perms;
++
++corenet_tcp_bind_generic_node(nova_objectstore_t)
++corenet_udp_bind_generic_node(nova_objectstore_t)
++
++optional_policy(`
++ unconfined_domain(nova_objectstore_t)
++')
++
++#######################################
++#
++# nova scheduler local policy
++#
++
++allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
++allow nova_scheduler_t self:udp_socket create_socket_perms;
++
++optional_policy(`
++ unconfined_domain(nova_scheduler_t)
++')
++
++#######################################
++#
++# nova vncproxy local policy
++#
++
++optional_policy(`
++ unconfined_domain(nova_vncproxy_t)
++')
++
++#######################################
++#
++# nova volume local policy
++#
++
++allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow nova_volume_t self:udp_socket create_socket_perms;
++
++kernel_read_kernel_sysctls(nova_volume_t)
++
++logging_send_syslog_msg(nova_volume_t)
++
++optional_policy(`
++ lvm_domtrans(nova_volume_t)
++')
++
++ifdef(`hide_broken_symptoms',`
++ require {
++ type sudo_exec_t;
++ }
++
++ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
++
++ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
++ allow nova_volume_t self:process { setsched setrlimit };
++
++ logging_send_audit_msgs(nova_volume_t)
++
++')
++
++optional_policy(`
++ unconfined_domain(nova_volume_t)
++')
++
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 85188dc..56dd1f0 100644
--- a/policy/modules/services/nscd.if
@@ -50902,6 +51331,140 @@ index cb7ecb5..3df1532 100644
+ matahari_manage_lib_files(qpidd_t)
+ matahari_manage_pid_files(qpidd_t)
+')
+diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc
+new file mode 100644
+index 0000000..7908e1d
+--- /dev/null
++++ b/policy/modules/services/rabbitmq.fc
+@@ -0,0 +1,7 @@
++
++/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
++/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
++#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0)
++
++/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
++/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if
+new file mode 100644
+index 0000000..f15d8c3
+--- /dev/null
++++ b/policy/modules/services/rabbitmq.if
+@@ -0,0 +1,23 @@
++
++## <summary>policy for rabbitmq</summary>
++
++
++########################################
++## <summary>
++## Transition to rabbitmq.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rabbitmq_domtrans',`
++ gen_require(`
++ type rabbitmq_t, rabbitmq_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
++')
++
+diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te
+new file mode 100644
+index 0000000..55aaca1
+--- /dev/null
++++ b/policy/modules/services/rabbitmq.te
+@@ -0,0 +1,86 @@
++policy_module(rabbitmq, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rabbitmq_epmd_t;
++type rabbitmq_epmd_exec_t;
++init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
++
++type rabbitmq_beam_t;
++type rabbitmq_beam_exec_t;
++init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++
++type rabbitmq_var_lib_t;
++files_type(rabbitmq_var_lib_t)
++
++type rabbitmq_var_log_t;
++logging_log_file(rabbitmq_var_log_t)
++
++######################################
++#
++# beam local policy
++#
++
++allow rabbitmq_beam_t self:process { setsched signal signull };
++
++allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
++allow rabbitmq_beam_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
++can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
++
++kernel_read_system_state(rabbitmq_beam_t)
++
++corecmd_exec_bin(rabbitmq_beam_t)
++corecmd_exec_shell(rabbitmq_beam_t)
++
++corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_udp_bind_generic_node(rabbitmq_beam_t)
++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++
++dev_read_sysfs(rabbitmq_beam_t)
++
++files_read_etc_files(rabbitmq_beam_t)
++
++miscfiles_read_localization(rabbitmq_beam_t)
++
++optional_policy(`
++ sysnet_dns_name_resolve(rabbitmq_beam_t)
++')
++
++########################################
++#
++# epmd local policy
++#
++
++domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
++
++allow rabbitmq_epmd_t self:process { signal };
++
++allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
++allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
++allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
++
++# should be append
++allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
++
++corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
++corenet_udp_bind_generic_node(rabbitmq_epmd_t)
++corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
++
++files_read_etc_files(rabbitmq_epmd_t)
++
++logging_send_syslog_msg(rabbitmq_epmd_t)
++
++miscfiles_read_localization(rabbitmq_epmd_t)
++
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index b1ed1bf..124971d 100644
--- a/policy/modules/services/radius.te
@@ -71502,7 +72065,7 @@ index 34d0ec5..767ccbd 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..9eaa38e
+index 0000000..db57bc7
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,19 @@
@@ -71522,8 +72085,8 @@ index 0000000..9eaa38e
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
-+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
@@ -72011,10 +72574,10 @@ index 0000000..f642930
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..5c36a9d
+index 0000000..a906f40
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,373 @@
+@@ -0,0 +1,369 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -72049,6 +72612,9 @@ index 0000000..5c36a9d
+type systemd_passwd_agent_exec_t;
+init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
++type systemd_passwd_var_run_t alias systemd_device_t;
++files_pid_file(systemd_passwd_var_run_t)
++
+# domain for systemd-tmpfiles component
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
@@ -72066,13 +72632,6 @@ index 0000000..5c36a9d
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
+
-+#
-+# Type for systemd pipes in /dev/.systemd/ directory
-+#
-+type systemd_device_t;
-+files_type(systemd_device_t)
-+dev_associate(systemd_device_t)
-+
+#######################################
+#
+# Systemd_logind local policy
@@ -72170,9 +72729,9 @@ index 0000000..5c36a9d
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
-+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
-+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
-+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file })
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 19b507e..c949e76 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-43
+- Add policies for nova openstack
+
* Mon Oct 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-42
- Add fixes for nova-stack policy
More information about the scm-commits
mailing list