Custom policy for nova and ironic

2014-07-31 11:56:51 -04:00 · 2014-07-31 11:56:51 -04:00 · 8f0e096f6e
commit 8f0e096f6e
parent 02ddb69878
6 changed files with 86 additions and 0 deletions
--- a/elements/selinux-policy-updates/ironic-map-file.audit2allow
+++ b/elements/selinux-policy-updates/ironic-map-file.audit2allow
@ -0,0 +1,7 @@
+type=AVC msg=audit(1406815389.458:128232): avc:  denied  { read } for  pid=15291 comm="in.tftpd" name="map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
+type=AVC msg=audit(1406815586.318:128850): avc:  denied  { open } for  pid=16162 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
+type=AVC msg=audit(1406815587.087:128851): avc:  denied  { open } for  pid=16163 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
+type=AVC msg=audit(1406815645.923:129066): avc:  denied  { getattr } for  pid=16430 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
+type=AVC msg=audit(1406815646.004:129067): avc:  denied  { read } for  pid=16433 comm="in.tftpd" name="01-00-aa-57-ce-26-0b" dev="vda3" ino=1545223 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file
+type=AVC msg=audit(1406815711.453:129400): avc:  denied  { lock } for  pid=16743 comm="in.tftpd" path="/tftpboot/237b3994-a853-4a74-b7a6-7e5944220003/config" dev="vda3" ino=1545222 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
+
--- a/elements/selinux-policy-updates/ironic-map-file.pp
+++ b/elements/selinux-policy-updates/ironic-map-file.pp
--- a/elements/selinux-policy-updates/ironic-map-file.te
+++ b/elements/selinux-policy-updates/ironic-map-file.te
@ -0,0 +1,45 @@
+
+module ironic-map-file 1.0;
+
+require {
+	type nova_scheduler_t;
+	type user_home_t;
+	type nova_api_t;
+	type init_var_run_t;
+	type default_t;
+	type tftpd_t;
+	type keystone_t;
+	class lnk_file read;
+	class file { write getattr setattr read lock create open };
+	class dir { getattr add_name };
+}
+
+#============= keystone_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow keystone_t init_var_run_t:dir add_name;
+allow keystone_t init_var_run_t:file { read setattr };
+
+#!!!! This avc is allowed in the current policy
+allow keystone_t init_var_run_t:file { write create open getattr };
+
+#============= nova_api_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow nova_api_t user_home_t:dir getattr;
+
+#============= nova_scheduler_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow nova_scheduler_t user_home_t:dir getattr;
+
+#============= tftpd_t ==============
+
+#!!!! This avc can be allowed using the boolean 'tftp_home_dir'
+allow tftpd_t default_t:file lock;
+
+#!!!! This avc is allowed in the current policy
+allow tftpd_t default_t:file { read getattr open };
+
+#!!!! This avc is allowed in the current policy
+allow tftpd_t default_t:lnk_file read;
--- a/elements/selinux-policy-updates/nova-rootwrap-dac.audit2allow
+++ b/elements/selinux-policy-updates/nova-rootwrap-dac.audit2allow
@ -0,0 +1,2 @@
+type=AVC msg=audit(1406754843.602:9981): avc:  denied  { dac_override } for  pid=21038 comm="nova-rootwrap" capability=1  scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability
+type=AVC msg=audit(1406754843.602:9981): avc:  denied  { dac_read_search } for  pid=21038 comm="nova-rootwrap" capability=2  scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=capability
--- a/elements/selinux-policy-updates/nova-rootwrap-dac.pp
+++ b/elements/selinux-policy-updates/nova-rootwrap-dac.pp
--- a/elements/selinux-policy-updates/nova-rootwrap-dac.te
+++ b/elements/selinux-policy-updates/nova-rootwrap-dac.te
@ -0,0 +1,32 @@
+
+module nova-rootwrap-dac 1.0;
+
+require {
+	type nova_scheduler_t;
+	type nova_api_t;
+	type nova_console_t;
+	type init_var_run_t;
+	type user_home_dir_t;
+	type var_run_t;
+	type nova_cert_t;
+	type keystone_t;
+	class capability { dac_read_search dac_override };
+	class dir { write search getattr };
+}
+
+#============= keystone_t ==============
+allow keystone_t init_var_run_t:dir write;
+
+#============= nova_api_t ==============
+allow nova_api_t self:capability { dac_read_search dac_override };
+allow nova_api_t user_home_dir_t:dir { search getattr };
+
+#============= nova_cert_t ==============
+allow nova_cert_t user_home_dir_t:dir { search getattr };
+allow nova_cert_t var_run_t:dir write;
+
+#============= nova_console_t ==============
+allow nova_console_t user_home_dir_t:dir { search getattr };
+
+#============= nova_scheduler_t ==============
+allow nova_scheduler_t user_home_dir_t:dir { search getattr };