From 8f0e096f6efe0147e740f98877b8af8c24f5e454 Mon Sep 17 00:00:00 2001 From: James Slagle Date: Thu, 31 Jul 2014 11:56:51 -0400 Subject: [PATCH] Custom policy for nova and ironic --- .../ironic-map-file.audit2allow | 7 +++ .../selinux-policy-updates/ironic-map-file.pp | Bin 0 -> 2273 bytes .../selinux-policy-updates/ironic-map-file.te | 45 ++++++++++++++++++ .../nova-rootwrap-dac.audit2allow | 2 + .../nova-rootwrap-dac.pp | Bin 0 -> 2136 bytes .../nova-rootwrap-dac.te | 32 +++++++++++++ 6 files changed, 86 insertions(+) create mode 100644 elements/selinux-policy-updates/ironic-map-file.audit2allow create mode 100644 elements/selinux-policy-updates/ironic-map-file.pp create mode 100644 elements/selinux-policy-updates/ironic-map-file.te create mode 100644 elements/selinux-policy-updates/nova-rootwrap-dac.audit2allow create mode 100644 elements/selinux-policy-updates/nova-rootwrap-dac.pp create mode 100644 elements/selinux-policy-updates/nova-rootwrap-dac.te diff --git a/elements/selinux-policy-updates/ironic-map-file.audit2allow b/elements/selinux-policy-updates/ironic-map-file.audit2allow new file mode 100644 index 000000000..8f138baba --- /dev/null +++ b/elements/selinux-policy-updates/ironic-map-file.audit2allow @@ -0,0 +1,7 @@ +type=AVC msg=audit(1406815389.458:128232): avc: denied { read } for pid=15291 comm="in.tftpd" name="map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file +type=AVC msg=audit(1406815586.318:128850): avc: denied { open } for pid=16162 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file +type=AVC msg=audit(1406815587.087:128851): avc: denied { open } for pid=16163 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file +type=AVC msg=audit(1406815645.923:129066): avc: denied { getattr } for pid=16430 comm="in.tftpd" path="/tftpboot/map-file" dev="vda3" ino=1545220 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file +type=AVC msg=audit(1406815646.004:129067): avc: denied { read } for pid=16433 comm="in.tftpd" name="01-00-aa-57-ce-26-0b" dev="vda3" ino=1545223 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file +type=AVC msg=audit(1406815711.453:129400): avc: denied { lock } for pid=16743 comm="in.tftpd" path="/tftpboot/237b3994-a853-4a74-b7a6-7e5944220003/config" dev="vda3" ino=1545222 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file + diff --git a/elements/selinux-policy-updates/ironic-map-file.pp b/elements/selinux-policy-updates/ironic-map-file.pp new file mode 100644 index 0000000000000000000000000000000000000000..0e2d6fc7a870ccf22d7b139d256f960b836a3649 GIT binary patch literal 2273 zcmcJQTaME(6oyN=U&Lhx-M}E&fnRt*@WcYFkhn}}npCMffP};f5bNa$&gb-RJb?}) zRUGL**Wc&3jT8U)_4VhC*=z=$8opcn#O%9Qi#K(<`@DGDRl6q4E%nR*?VbUFR`*?7 zmuKr@bGEFTaMMyRpTBTsrb0=ehEG?3RCRyX3qAlDBdn(_K;Ydm3rZu#aN9gqed_BNps{4X148z>9X3Q$paCpxx^hJhYPSik zHpgbQ!S4OXP)6T7%SoIZv$?Nyo})K-Y+#mVn0sk$-PX}x6us|vt&b0^%I1%;+wP+9 z#ikyZ^gqU2g)iIKwZX@S#^V1u#@uZ~@6WrnQ8`SaVG)<~pwjqlc^)`ky^m~wr=m5m z9BMCd88?-W_bt>T`&-*8EQ?(eebl;RR&&$@UjERW#Xxm@#3el{Vj!MQDY;yz>&%Pm zEC=$~!jopqZT+K3PdAAzJb6Yr>FKhVLyEYhM@0Zi#qFWB3yTq#^r(n|c>kL5I^(hqXzjv$#3el{ zVj$jCGvJ74?m^ta8+s9o$2*OctE{mr}=zF&Zh_Bk{;Cm z@U!+Ox$GC%UCB=s_~hskR1V8)$c2~Z@ZsxDnwzh>?wHH>h^kobl=0q}R>pfGuW)B% e_d;IcyiMf}RVl?sX0l`z zs#wpTnuWktV*I*VR%h*^O_$HN5j&LcHzCHh2~@@k=3=NCKO|!cP#GiApPh#~`RKAY zs6)0WWt?2#h2eogdzd+KsI9bJoBXDVKCU~TD2s9qvAJ(wEnA<+%kA9Ctov@&FT#*l z)u}>ft0iB;XJ^iBaZFyg;_+^X%X(DAIh!t?h}%MI@e!BxsPKV!|6`At?T5Im zN2NL#bsjiCK0iyuWj!i-bxAG3$icf=JQHc&n_Rpunl3?R;x*@(+} zP{-I)qrwBqRqj{L^E*Ra)`R*Nc9H&0CbdzEH8)BV=*#0@i)J;_2=sqJf^wcdz1!mz zWhC#|)5{3!hGwW9UPf6r_Utl3|K97-Wti`5zbBV*`g75P%Mktey62VwoBvDx0FiH? A_5c6? literal 0 HcmV?d00001 diff --git a/elements/selinux-policy-updates/nova-rootwrap-dac.te b/elements/selinux-policy-updates/nova-rootwrap-dac.te new file mode 100644 index 000000000..125580af2 --- /dev/null +++ b/elements/selinux-policy-updates/nova-rootwrap-dac.te @@ -0,0 +1,32 @@ + +module nova-rootwrap-dac 1.0; + +require { + type nova_scheduler_t; + type nova_api_t; + type nova_console_t; + type init_var_run_t; + type user_home_dir_t; + type var_run_t; + type nova_cert_t; + type keystone_t; + class capability { dac_read_search dac_override }; + class dir { write search getattr }; +} + +#============= keystone_t ============== +allow keystone_t init_var_run_t:dir write; + +#============= nova_api_t ============== +allow nova_api_t self:capability { dac_read_search dac_override }; +allow nova_api_t user_home_dir_t:dir { search getattr }; + +#============= nova_cert_t ============== +allow nova_cert_t user_home_dir_t:dir { search getattr }; +allow nova_cert_t var_run_t:dir write; + +#============= nova_console_t ============== +allow nova_console_t user_home_dir_t:dir { search getattr }; + +#============= nova_scheduler_t ============== +allow nova_scheduler_t user_home_dir_t:dir { search getattr };