|
 |
512563 |
diff --git a/ctdb.if b/ctdb.if
|
|
|
512563 |
index 6b7d687..06895f3 100644
|
|
|
512563 |
--- a/ctdb.if
|
|
|
512563 |
+++ b/ctdb.if
|
|
|
512563 |
@@ -55,6 +55,23 @@ interface(`ctdbd_signal',`
|
|
|
512563 |
allow $1 ctdbd_t:process signal;
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
+#######################################
|
|
|
512563 |
+## <summary>
|
|
|
512563 |
+## Allow domain to sigchld ctdbd.
|
|
|
512563 |
+## </summary>
|
|
|
512563 |
+## <param name="domain">
|
|
|
512563 |
+## <summary>
|
|
|
512563 |
+## Domain allowed access.
|
|
|
512563 |
+## </summary>
|
|
|
512563 |
+## </param>
|
|
|
512563 |
+#
|
|
|
512563 |
+interface(`ctdbd_sigchld',`
|
|
|
512563 |
+ gen_require(`
|
|
|
512563 |
+ type ctdbd_t;
|
|
|
512563 |
+ ')
|
|
|
512563 |
+ allow $1 ctdbd_t:process sigchld;
|
|
|
512563 |
+')
|
|
|
512563 |
+
|
|
|
512563 |
########################################
|
|
|
512563 |
## <summary>
|
|
|
512563 |
## Read ctdbd's log files.
|
|
|
512563 |
diff --git a/glusterd.fc b/glusterd.fc
|
|
|
512563 |
index 8c8c6c9..52b4110 100644
|
|
|
512563 |
--- a/glusterd.fc
|
|
|
512563 |
+++ b/glusterd.fc
|
|
|
512563 |
@@ -6,13 +6,17 @@
|
|
|
512563 |
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
|
|
512563 |
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
|
512563 |
|
|
|
512563 |
+/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
|
512563 |
+
|
|
|
512563 |
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
|
512563 |
|
|
|
512563 |
/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
|
|
|
512563 |
|
|
|
512563 |
/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
|
|
|
512563 |
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
|
|
|
512563 |
|
|
|
512563 |
/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
|
512563 |
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
|
512563 |
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
|
512563 |
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
|
512563 |
+/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
|
512563 |
diff --git a/glusterd.te b/glusterd.te
|
|
|
512563 |
index b974353..0c149cd 100644
|
|
|
512563 |
--- a/glusterd.te
|
|
|
512563 |
+++ b/glusterd.te
|
|
|
512563 |
@@ -62,7 +62,7 @@ files_type(glusterd_brick_t)
|
|
|
512563 |
allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
|
|
|
512563 |
|
|
|
512563 |
allow glusterd_t self:capability2 block_suspend;
|
|
|
512563 |
-allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
|
|
|
512563 |
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
|
|
|
512563 |
allow glusterd_t self:sem create_sem_perms;
|
|
|
512563 |
allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
|
|
512563 |
allow glusterd_t self:tcp_socket { accept listen };
|
|
|
512563 |
@@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
|
|
|
512563 |
allow glusterd_t glusterd_tmp_t:dir mounton;
|
|
|
512563 |
|
|
|
512563 |
manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
|
512563 |
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
|
512563 |
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
|
512563 |
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
|
512563 |
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
|
|
|
512563 |
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
|
512563 |
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
|
|
|
512563 |
|
|
|
512563 |
manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
|
512563 |
manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
|
512563 |
@@ -240,12 +238,21 @@ optional_policy(`
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
policykit_dbus_chat(glusterd_t)
|
|
|
512563 |
')
|
|
|
512563 |
+
|
|
|
512563 |
+ optional_policy(`
|
|
|
512563 |
+ unconfined_dbus_chat(glusterd_t)
|
|
|
512563 |
+ ')
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
hostname_exec(glusterd_t)
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
+
|
|
|
512563 |
+optional_policy(`
|
|
|
512563 |
+ kerberos_read_keytab(glusterd_t)
|
|
|
512563 |
+')
|
|
|
512563 |
+
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
lvm_domtrans(glusterd_t)
|
|
|
512563 |
')
|
|
|
512563 |
@@ -281,6 +288,7 @@ optional_policy(`
|
|
|
512563 |
rpc_domtrans_nfsd(glusterd_t)
|
|
|
512563 |
rpc_domtrans_rpcd(glusterd_t)
|
|
|
512563 |
rpc_manage_nfs_state_data(glusterd_t)
|
|
|
512563 |
+ rpcbind_stream_connect(glusterd_t)
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
diff --git a/openvswitch.te b/openvswitch.te
|
|
|
512563 |
index 1b606d8..2d00be4 100644
|
|
|
512563 |
--- a/openvswitch.te
|
|
|
512563 |
+++ b/openvswitch.te
|
|
|
512563 |
@@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t)
|
|
|
512563 |
# openvswitch local policy
|
|
|
512563 |
#
|
|
|
512563 |
|
|
|
512563 |
-allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
|
|
|
512563 |
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource };
|
|
|
512563 |
allow openvswitch_t self:capability2 block_suspend;
|
|
|
512563 |
allow openvswitch_t self:process { fork setsched setrlimit signal };
|
|
|
512563 |
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
|
|
|
512563 |
@@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t)
|
|
|
512563 |
|
|
|
512563 |
fs_getattr_all_fs(openvswitch_t)
|
|
|
512563 |
fs_search_cgroup_dirs(openvswitch_t)
|
|
|
512563 |
+fs_manage_hugetlbfs_files(openvswitch_t)
|
|
|
512563 |
+fs_manage_hugetlbfs_dirs(openvswitch_t)
|
|
|
512563 |
|
|
|
512563 |
auth_use_nsswitch(openvswitch_t)
|
|
|
512563 |
|
|
|
512563 |
diff --git a/rhcs.te b/rhcs.te
|
|
|
512563 |
index 2c7b543..e55c17b 100644
|
|
|
512563 |
--- a/rhcs.te
|
|
|
512563 |
+++ b/rhcs.te
|
|
|
512563 |
@@ -319,6 +319,7 @@ optional_policy(`
|
|
|
512563 |
rpc_domtrans_nfsd(cluster_t)
|
|
|
512563 |
rpc_domtrans_rpcd(cluster_t)
|
|
|
512563 |
rpc_manage_nfs_state_data(cluster_t)
|
|
|
512563 |
+ rpc_filetrans_var_lib_nfs_content(cluster_t)
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
diff --git a/rpc.if b/rpc.if
|
|
|
512563 |
index 50f25de..4f3c2b9 100644
|
|
|
512563 |
--- a/rpc.if
|
|
|
512563 |
+++ b/rpc.if
|
|
|
512563 |
@@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',`
|
|
|
512563 |
allow $1 gssd_t:key { read search setattr view write };
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
+########################################
|
|
|
512563 |
+## <summary>
|
|
|
512563 |
+## Transition to alsa named content
|
|
|
512563 |
+## </summary>
|
|
|
512563 |
+## <param name="domain">
|
|
|
512563 |
+## <summary>
|
|
|
512563 |
+## Domain allowed access.
|
|
|
512563 |
+## </summary>
|
|
|
512563 |
+## </param>
|
|
|
512563 |
+#
|
|
|
512563 |
+interface(`rpc_filetrans_var_lib_nfs_content',`
|
|
|
512563 |
+ gen_require(`
|
|
|
512563 |
+ type var_lib_nfs_t;
|
|
|
512563 |
+ ')
|
|
|
512563 |
+
|
|
|
512563 |
+ files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
|
|
|
512563 |
+')
|
|
|
512563 |
+
|
|
|
512563 |
#######################################
|
|
|
512563 |
## <summary>
|
|
|
512563 |
## All of the rules required to
|
|
|
512563 |
diff --git a/rpc.te b/rpc.te
|
|
|
512563 |
index 876a4e7..7f491b0 100644
|
|
|
512563 |
--- a/rpc.te
|
|
|
512563 |
+++ b/rpc.te
|
|
|
512563 |
@@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true)
|
|
|
512563 |
## </desc>
|
|
|
512563 |
gen_tunable(nfsd_anon_write, false)
|
|
|
512563 |
|
|
|
512563 |
+## <desc>
|
|
|
512563 |
+##
|
|
|
512563 |
+## Allow rpcd_t to manage fuse files
|
|
|
512563 |
+##
|
|
|
512563 |
+## </desc>
|
|
|
512563 |
+gen_tunable(rpcd_use_fusefs, false)
|
|
|
512563 |
+
|
|
|
512563 |
attribute rpc_domain;
|
|
|
512563 |
|
|
|
512563 |
type exports_t;
|
|
|
512563 |
@@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
|
|
512563 |
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
|
|
512563 |
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
|
|
|
512563 |
|
|
|
512563 |
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
|
|
|
512563 |
+
|
|
|
512563 |
# rpc.statd executes sm-notify
|
|
|
512563 |
can_exec(rpcd_t, rpcd_exec_t)
|
|
|
512563 |
|
|
|
512563 |
@@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t)
|
|
|
512563 |
userdom_signal_unpriv_users(rpcd_t)
|
|
|
512563 |
userdom_read_user_home_content_files(rpcd_t)
|
|
|
512563 |
|
|
|
512563 |
+tunable_policy(`rpcd_use_fusefs',`
|
|
|
512563 |
+ fs_manage_fusefs_dirs(rpcd_t)
|
|
|
512563 |
+ fs_manage_fusefs_files(rpcd_t)
|
|
|
512563 |
+ fs_read_fusefs_symlinks(rpcd_t)
|
|
|
512563 |
+ fs_getattr_fusefs(rpcd_t)
|
|
|
512563 |
+')
|
|
|
512563 |
+
|
|
|
512563 |
ifdef(`distro_debian',`
|
|
|
512563 |
term_dontaudit_use_unallocated_ttys(rpcd_t)
|
|
|
512563 |
')
|
|
|
512563 |
diff --git a/samba.te b/samba.te
|
|
|
512563 |
index bf7a710..aac4015 100644
|
|
|
512563 |
--- a/samba.te
|
|
|
512563 |
+++ b/samba.te
|
|
|
512563 |
@@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t)
|
|
|
512563 |
|
|
|
512563 |
optional_policy(`
|
|
|
512563 |
ctdbd_stream_connect(smbcontrol_t)
|
|
|
512563 |
+ ctdbd_sigchld(smbcontrol_t)
|
|
|
512563 |
')
|
|
|
512563 |
|
|
|
512563 |
########################################
|