openstack
/
tripleo-image-elements
Code Issues Proposed changes

Merge "SELinux keepalived read denials"

This commit is contained in:
Jenkins 2015-04-24 14:47:03 +00:00 committed by Gerrit Code Review
parent 1714eea73a 3e0eebbe72
commit 461c6bc1b8
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
elements/selinux/custom-policies/tripleo-selinux-keepalived.te
View File

@ -4,10 +4,15 @@ module tripleo-selinux-keepalived 1.0;
gen_require(`
type haproxy_t;
type keepalived_t;
type var_log_t;
type cloud_var_lib_t;
type ifconfig_exec_t;
type init_var_lib_t;
type var_lib_t;
class process signull;
class capability kill;
class dir { getattr search open read lock ioctl };
class file { open { getattr read ioctl lock } };
class file { open getattr read ioctl lock execute execute_no_trans };
class lnk_file { getattr read };
')
@ -19,4 +24,12 @@ gen_require(`
domain_read_all_domains_state(keepalived_t)
allow keepalived_t haproxy_t:process signull;
allow keepalived_t self:capability kill;
allow keepalived_t self:capability kill;
# https://bugs.launchpad.net/tripleo/+bug/1416056
# https://bugzilla.redhat.com/show_bug.cgi?id=1187348
allow keepalived_t cloud_var_lib_t:file { read getattr open };
allow keepalived_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow keepalived_t init_var_lib_t:file { read getattr open };
allow keepalived_t var_lib_t:file { read getattr open };
allow keepalived_t var_log_t:file open;