[selinux-policy] - More rules for gears and openshift
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 7 19:48:43 UTC 2014
commit 6fbf46087c50dff534a27ff418c78fad8673796c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed May 7 21:48:58 2014 +0200
- More rules for gears and openshift
policy-rawhide-contrib.patch | 55 ++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 5 +++-
2 files changed, 46 insertions(+), 14 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c843a25..89479f4 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -27964,16 +27964,16 @@ index 2820368..88c98f4 100644
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
diff --git a/gear.fc b/gear.fc
new file mode 100644
-index 0000000..5eabf35
+index 0000000..98c012c
--- /dev/null
+++ b/gear.fc
@@ -0,0 +1,7 @@
+/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
+
-+/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
-+
-+/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0)
++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0)
+
++/var/lib/containers(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
++/var/lib/containers/units(/.*)? gen_context(system_u:object_r:gear_unit_file_t,s0)
+/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0)
diff --git a/gear.if b/gear.if
new file mode 100644
@@ -28271,10 +28271,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..45141fc
+index 0000000..75d7bc3
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,121 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -28360,6 +28360,7 @@ index 0000000..45141fc
+
+init_read_state(gear_t)
+init_dbus_chat(gear_t)
++init_enable_services(gear_t)
+
+iptables_domtrans(gear_t)
+
@@ -28384,11 +28385,16 @@ index 0000000..45141fc
+')
+
+optional_policy(`
++ dbus_system_bus_client(gear_t)
++')
++
++optional_policy(`
+ docker_stream_connect(gear_t)
+')
+
+optional_policy(`
+ openshift_manage_lib_files(gear_t)
++ openshift_relabelfrom_lib(gear_t)
+')
diff --git a/geoclue.fc b/geoclue.fc
new file mode 100644
@@ -56883,7 +56889,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..88c2186
+index 0000000..418db16
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,28 @@
@@ -56894,7 +56900,7 @@ index 0000000..88c2186
+
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
-+/var/lib/containers(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
++/var/lib/containers/home(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
+
@@ -56917,10 +56923,10 @@ index 0000000..88c2186
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..cf03270
+index 0000000..a60155c
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,702 @@
+@@ -0,0 +1,721 @@
+
+## <summary> policy for openshift </summary>
+
@@ -57285,6 +57291,26 @@ index 0000000..cf03270
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
+')
+
++########################################
++## <summary>
++## Relabel openshift library files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`openshift_relabelfrom_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++')
++
+#######################################
+## <summary>
+## Create private objects in the
@@ -57339,7 +57365,6 @@ index 0000000..cf03270
+ allow $1 openshift_var_run_t:file read_file_perms;
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -57625,10 +57650,10 @@ index 0000000..cf03270
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..db64c6a
+index 0000000..a2db55e
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,576 @@
+@@ -0,0 +1,580 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -57953,6 +57978,10 @@ index 0000000..db64c6a
+')
+
+optional_policy(`
++ gear_search_lib(openshift_domain)
++')
++
++optional_policy(`
+ gpg_entry_type(openshift_domain)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 173e757..6e5a903 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -588,6 +588,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-52
+- More rules for gears and openshift
+
* Wed May 7 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-51
- Add gear fixes from dwalsh
More information about the scm-commits
mailing list