[selinux-policy/f17] * Fri Mar 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-98 - Add policy for nove-cert - Add label
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 9 12:51:17 UTC 2012
commit 223840eba7ef294bda69320195da85ebe2e3840a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 9 13:51:04 2012 +0100
* Fri Mar 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-98
- Add policy for nove-cert
- Add labeling for nova-openstack systemd unit files
- Add policy for keystoke
policy-F16.patch | 726 +++++++++++++++++++++++++++++++++++++++++++++++++--
selinux-policy.spec | 7 +-
2 files changed, 707 insertions(+), 26 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 37fd949..d765251 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58251,10 +58251,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..984c8ac
+index 0000000..ef49e10
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,88 @@
+policy_module(permissivedomains,17)
+
+
@@ -58321,6 +58321,28 @@ index 0000000..984c8ac
+ permissive matahari_rpcd_t;
+
+')
++
++optional_policy(`
++ gen_require(`
++ type keystone_t;
++ ')
++
++ permissive keystone_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type pacemaker_t;
++ ')
++
++ permissive pacemaker_t;
++')
++
++optional_policy(`
++ gen_require(`
++ type nova_cert_t;
++ ')
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -64486,7 +64508,7 @@ index fbb5c5a..094d03b 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..6c983e1 100644
+index 2e9318b..859b089 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -64670,8 +64692,11 @@ index 2e9318b..6c983e1 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,33 +405,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -383,35 +403,33 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+
+ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
++term_getattr_ptmx(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
@@ -64716,7 +64741,7 @@ index 2e9318b..6c983e1 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +442,13 @@ optional_policy(`
+@@ -425,7 +443,13 @@ optional_policy(`
')
optional_policy(`
@@ -64730,7 +64755,7 @@ index 2e9318b..6c983e1 100644
')
optional_policy(`
-@@ -438,18 +461,98 @@ optional_policy(`
+@@ -438,18 +462,98 @@ optional_policy(`
')
optional_policy(`
@@ -70930,7 +70955,7 @@ index 4f3b542..1552f90 100644
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..a0d3b16 100644
+index 99b71cb..9456824 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -71033,13 +71058,14 @@ index 99b71cb..a0d3b16 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +134,22 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +134,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
+network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(dnssec, tcp,8955,s0)
++network_port(echo, tcp,7,s0, udp,7,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(epmd, tcp,4369,s0, udp,4369,s0)
+network_port(festival, tcp,1314,s0)
@@ -71056,7 +71082,7 @@ index 99b71cb..a0d3b16 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +158,13 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +159,13 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -71064,14 +71090,15 @@ index 99b71cb..a0d3b16 100644
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
+network_port(interwise, tcp,7778,s0, udp,7778,s0)
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +174,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +175,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -71102,7 +71129,7 @@ index 99b71cb..a0d3b16 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +204,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +205,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -71135,7 +71162,7 @@ index 99b71cb..a0d3b16 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +241,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +242,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -71182,7 +71209,7 @@ index 99b71cb..a0d3b16 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +284,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -71196,7 +71223,7 @@ index 99b71cb..a0d3b16 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +301,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -71204,7 +71231,7 @@ index 99b71cb..a0d3b16 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +311,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -71217,7 +71244,7 @@ index 99b71cb..a0d3b16 100644
########################################
#
-@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +361,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -99226,10 +99253,19 @@ index df48e5e..878d9df 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..5f71f35 100644
+index c51a7b2..75a08f9 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
-@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t)
+@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t)
+ corenet_udp_bind_ftp_port(inetd_t)
+ corenet_tcp_bind_inetd_child_port(inetd_t)
+ corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_echo_port(inetd_t)
++corenet_udp_bind_echo_port(inetd_t)
+ corenet_tcp_bind_ircd_port(inetd_t)
+ corenet_udp_bind_ktalkd_port(inetd_t)
+ corenet_tcp_bind_printer_port(inetd_t)
+@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -100414,6 +100450,318 @@ index 0000000..21e49e3
+files_read_etc_files(keyboardd_t)
+
+miscfiles_read_localization(keyboardd_t)
+diff --git a/policy/modules/services/keystone.fc b/policy/modules/services/keystone.fc
+new file mode 100644
+index 0000000..4917088
+--- /dev/null
++++ b/policy/modules/services/keystone.fc
+@@ -0,0 +1,7 @@
++/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
++
++/usr/lib/systemd/system/openstack-keystone.service -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
++
++/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
++
++/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0)
+diff --git a/policy/modules/services/keystone.if b/policy/modules/services/keystone.if
+new file mode 100644
+index 0000000..f4686e5
+--- /dev/null
++++ b/policy/modules/services/keystone.if
+@@ -0,0 +1,222 @@
++
++## <summary>policy for keystone</summary>
++
++########################################
++## <summary>
++## Transition to keystone.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keystone_domtrans',`
++ gen_require(`
++ type keystone_t, keystone_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, keystone_exec_t, keystone_t)
++')
++########################################
++## <summary>
++## Read keystone's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keystone_read_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Append to keystone log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_append_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Manage keystone log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_log',`
++ gen_require(`
++ type keystone_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
++ manage_files_pattern($1, keystone_log_t, keystone_log_t)
++ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
++')
++
++########################################
++## <summary>
++## Search keystone lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_search_lib',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ allow $1 keystone_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read keystone lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_read_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage keystone lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_lib_files',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage keystone lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keystone_manage_lib_dirs',`
++ gen_require(`
++ type keystone_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute keystone server in the keystone domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keystone_systemctl',`
++ gen_require(`
++ type keystone_t;
++ type keystone_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 keystone_unit_file_t:file read_file_perms;
++ allow $1 keystone_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, keystone_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an keystone environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`keystone_admin',`
++ gen_require(`
++ type keystone_t;
++ type keystone_log_t;
++ type keystone_var_lib_t;
++ type keystone_unit_file_t;
++ ')
++
++ allow $1 keystone_t:process { ptrace signal_perms };
++ ps_process_pattern($1, keystone_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, keystone_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, keystone_var_lib_t)
++
++ keystone_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/keystone.te b/policy/modules/services/keystone.te
+new file mode 100644
+index 0000000..bd47cdc
+--- /dev/null
++++ b/policy/modules/services/keystone.te
+@@ -0,0 +1,65 @@
++policy_module(keystone, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keystone_t;
++type keystone_exec_t;
++init_daemon_domain(keystone_t, keystone_exec_t)
++
++type keystone_log_t;
++logging_log_file(keystone_log_t)
++
++type keystone_var_lib_t;
++files_type(keystone_var_lib_t)
++
++type keystone_tmp_t;
++files_tmp_file(keystone_tmp_t)
++
++type keystone_unit_file_t;
++systemd_unit_file(keystone_unit_file_t)
++
++########################################
++#
++# keystone local policy
++#
++allow keystone_t self:fifo_file rw_fifo_file_perms;
++allow keystone_t self:unix_stream_socket create_stream_socket_perms;
++allow keystone_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(keystone_t, keystone_log_t, keystone_log_t)
++manage_files_pattern(keystone_t, keystone_log_t, keystone_log_t)
++logging_log_filetrans(keystone_t, keystone_log_t, { dir file })
++
++manage_dirs_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++manage_lnk_files_pattern(keystone_t, keystone_tmp_t, keystone_tmp_t)
++files_tmp_filetrans(keystone_t, keystone_tmp_t, { file dir lnk_file })
++can_exec(keystone_t, keystone_tmp_t)
++
++manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t)
++files_var_lib_filetrans(keystone_t, keystone_var_lib_t, { dir file })
++
++kernel_read_system_state(keystone_t)
++
++corecmd_exec_bin(keystone_t)
++corecmd_exec_shell(keystone_t)
++
++corenet_tcp_bind_commplex_port(keystone_t)
++corenet_tcp_bind_generic_node(keystone_t)
++
++dev_read_urand(keystone_t)
++
++domain_use_interactive_fds(keystone_t)
++
++files_read_etc_files(keystone_t)
++files_read_usr_files(keystone_t)
++
++auth_use_pam(keystone_t)
++
++libs_exec_ldconfig(keystone_t)
++
++miscfiles_read_localization(keystone_t)
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
@@ -106424,22 +106772,45 @@ index 4876cae..e29f5d6 100644
diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
new file mode 100644
-index 0000000..4af11e2
+index 0000000..a2bc7ca
--- /dev/null
+++ b/policy/modules/services/nova.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,40 @@
+
+
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
+#/usr/bin/nova-compute -- gen_context(system_u:object_r:nova_compute_exec_t,s0)
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
++/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
+
++/lib/systemd/system/openstack-nova-ajax-console-proxy\.service -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-api\.service -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-cert\.service -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
++#/lib/systemd/system/openstack-nova-compute.service
++/lib/systemd/system/openstack-nova-direct-api\.service -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-network\.service -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-objectstore\.service -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-scheduler\.service -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-vncproxy\.service -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-volume\.service -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
++
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy\.service -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-api\.service -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-cert\.service -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
++#/lib/systemd/system/openstack-nova-compute.service
++/usr/lib/systemd/system/openstack-nova-direct-api\.service -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-network\.service -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-objectstore\.service -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-scheduler\.service -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-vncproxy\.service -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-volume\.service -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
++
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
+
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
@@ -106447,10 +106818,10 @@ index 0000000..4af11e2
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/policy/modules/services/nova.if b/policy/modules/services/nova.if
new file mode 100644
-index 0000000..ac0e1e6
+index 0000000..0d11800
--- /dev/null
+++ b/policy/modules/services/nova.if
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,33 @@
+## <summary>openstack-nova</summary>
+
+#######################################
@@ -106473,6 +106844,9 @@ index 0000000..ac0e1e6
+ type nova_$1_exec_t;
+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
+
++ type nova_$1_unit_file_t;
++ systemd_unit_file(nova_$1_unit_file_t)
++
+ type nova_$1_tmp_t;
+ files_tmp_file(nova_$1_tmp_t)
+
@@ -106483,10 +106857,10 @@ index 0000000..ac0e1e6
+')
diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
new file mode 100644
-index 0000000..49acffa
+index 0000000..9dd1d72
--- /dev/null
+++ b/policy/modules/services/nova.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,315 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -106503,6 +106877,7 @@ index 0000000..49acffa
+
+nova_domain_template(ajax)
+nova_domain_template(api)
++nova_domain_template(cert)
+nova_domain_template(compute)
+nova_domain_template(direct)
+nova_domain_template(network)
@@ -106615,6 +106990,23 @@ index 0000000..49acffa
+ unconfined_domain(nova_api_t)
+')
+
++######################################
++#
++# nova cert local policy
++#
++
++allow nova_cert_t self:process setfscreate;
++
++allow nova_cert_t self:udp_socket create_socket_perms;
++
++auth_read_passwd(nova_cert_t)
++
++miscfiles_read_certs(nova_cert_t)
++
++optional_policy(`
++ mysql_stream_connect(nova_cert_t)
++')
++
+#######################################
+#
+# nova compute local policy
@@ -108095,6 +108487,290 @@ index 8b550f4..117a7ac 100644
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
+diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc
+new file mode 100644
+index 0000000..a8693fc
+--- /dev/null
++++ b/policy/modules/services/pacemaker.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/pacemaker.service -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
++
++/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
++
++/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
++
++/var/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0)
+diff --git a/policy/modules/services/pacemaker.if b/policy/modules/services/pacemaker.if
+new file mode 100644
+index 0000000..7dfb85a
+--- /dev/null
++++ b/policy/modules/services/pacemaker.if
+@@ -0,0 +1,206 @@
++
++## <summary>policy for pacemaker</summary>
++
++########################################
++## <summary>
++## Transition to pacemaker.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pacemaker_domtrans',`
++ gen_require(`
++ type pacemaker_t, pacemaker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
++')
++
++########################################
++## <summary>
++## Execute pacemaker server in the pacemaker domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_initrc_domtrans',`
++ gen_require(`
++ type pacemaker_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search pacemaker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_search_lib',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read pacemaker lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_read_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage pacemaker lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_manage_lib_files',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage pacemaker lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_manage_lib_dirs',`
++ gen_require(`
++ type pacemaker_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
++')
++
++########################################
++## <summary>
++## Read pacemaker PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pacemaker_read_pid_files',`
++ gen_require(`
++ type pacemaker_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 pacemaker_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Execute pacemaker server in the pacemaker domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pacemaker_systemctl',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 pacemaker_unit_file_t:file read_file_perms;
++ allow $1 pacemaker_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, pacemaker_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pacemaker environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pacemaker_admin',`
++ gen_require(`
++ type pacemaker_t;
++ type pacemaker_initrc_exec_t;
++ type pacemaker_var_lib_t;
++ type pacemaker_var_run_t;
++ type pacemaker_unit_file_t;
++ ')
++
++ allow $1 pacemaker_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pacemaker_t)
++
++ pacemaker_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pacemaker_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, pacemaker_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, pacemaker_var_run_t)
++
++ pacemaker_systemctl($1)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
+new file mode 100644
+index 0000000..99ab306
+--- /dev/null
++++ b/policy/modules/services/pacemaker.te
+@@ -0,0 +1,49 @@
++policy_module(pacemaker, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pacemaker_t;
++type pacemaker_exec_t;
++init_daemon_domain(pacemaker_t, pacemaker_exec_t)
++
++type pacemaker_initrc_exec_t;
++init_script_file(pacemaker_initrc_exec_t)
++
++type pacemaker_var_lib_t;
++files_type(pacemaker_var_lib_t)
++
++type pacemaker_var_run_t;
++files_pid_file(pacemaker_var_run_t)
++
++type pacemaker_unit_file_t;
++systemd_unit_file(pacemaker_unit_file_t)
++
++########################################
++#
++# pacemaker local policy
++#
++allow pacemaker_t self:capability { chown dac_override setuid };
++allow pacemaker_t self:process { fork setrlimit signal };
++allow pacemaker_t self:fifo_file rw_fifo_file_perms;
++allow pacemaker_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
++files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
++
++manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
++files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
++
++domain_use_interactive_fds(pacemaker_t)
++
++files_read_etc_files(pacemaker_t)
++
++auth_use_nsswitch(pacemaker_t)
++
++logging_send_syslog_msg(pacemaker_t)
++
++miscfiles_read_localization(pacemaker_t)
diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc
index 0870c56..6d5fb1d 100644
--- a/policy/modules/services/pads.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index aa85f0d..2b937ca 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 97%{?dist}
+Release: 98%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -478,6 +478,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-98
+- Add policy for nove-cert
+- Add labeling for nova-openstack systemd unit files
+- Add policy for keystoke
+
* Thu Mar 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-97
- Fix man pages fro domains
- Add man pages for SELinux users and roles
More information about the scm-commits
mailing list