|
 |
4e9cfe |
diff --git a/certmonger.te b/certmonger.te
|
|
|
4e9cfe |
index 0803529e4..0585431e1 100644
|
|
|
4e9cfe |
--- a/certmonger.te
|
|
|
4e9cfe |
+++ b/certmonger.te
|
|
|
4e9cfe |
@@ -144,6 +144,7 @@ optional_policy(`
|
|
|
4e9cfe |
optional_policy(`
|
|
|
4e9cfe |
pki_rw_tomcat_cert(certmonger_t)
|
|
|
4e9cfe |
pki_read_tomcat_lib_files(certmonger_t)
|
|
|
4e9cfe |
+ pki_tomcat_systemctl(certmonger_t)
|
|
|
4e9cfe |
')
|
|
|
4e9cfe |
|
|
|
4e9cfe |
optional_policy(`
|
|
|
a3dbbd |
diff --git a/lldpad.te b/lldpad.te
|
|
|
a3dbbd |
index 42e5578f2..3399d597a 100644
|
|
|
a3dbbd |
--- a/lldpad.te
|
|
|
a3dbbd |
+++ b/lldpad.te
|
|
|
a3dbbd |
@@ -64,3 +64,7 @@ optional_policy(`
|
|
|
a3dbbd |
optional_policy(`
|
|
|
a3dbbd |
networkmanager_dgram_send(lldpad_t)
|
|
|
a3dbbd |
')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+optional_policy(`
|
|
|
a3dbbd |
+ virt_dgram_send(lldpad_t)
|
|
|
a3dbbd |
+')
|
|
|
4e9cfe |
diff --git a/pki.if b/pki.if
|
|
|
4e9cfe |
index f18fcc68f..f69ae0298 100644
|
|
|
4e9cfe |
--- a/pki.if
|
|
|
4e9cfe |
+++ b/pki.if
|
|
|
4e9cfe |
@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
|
|
|
4e9cfe |
files_search_pids($1)
|
|
|
4e9cfe |
stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
|
|
|
4e9cfe |
')
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+########################################
|
|
|
4e9cfe |
+## <summary>
|
|
|
4e9cfe |
+## Execute pki in the pkit_tomcat_t domain.
|
|
|
4e9cfe |
+## </summary>
|
|
|
4e9cfe |
+## <param name="domain">
|
|
|
4e9cfe |
+## <summary>
|
|
|
4e9cfe |
+## Domain allowed to transition.
|
|
|
4e9cfe |
+## </summary>
|
|
|
4e9cfe |
+## </param>
|
|
|
4e9cfe |
+#
|
|
|
4e9cfe |
+interface(`pki_tomcat_systemctl',`
|
|
|
4e9cfe |
+ gen_require(`
|
|
|
4e9cfe |
+ type pki_tomcat_t;
|
|
|
4e9cfe |
+ type pki_tomcat_unit_file_t;
|
|
|
4e9cfe |
+ ')
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+ systemd_exec_systemctl($1)
|
|
|
4e9cfe |
+ systemd_read_fifo_file_passwd_run($1)
|
|
|
4e9cfe |
+ allow $1 pki_tomcat_unit_file_t:file read_file_perms;
|
|
|
4e9cfe |
+ allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
|
|
|
4e9cfe |
+
|
|
|
4e9cfe |
+ ps_process_pattern($1, pki_tomcat_t)
|
|
|
4e9cfe |
+')
|
|
|
a3dbbd |
diff --git a/tomcat.te b/tomcat.te
|
|
|
a3dbbd |
index 97bdd60c9..386c4b7ac 100644
|
|
|
a3dbbd |
--- a/tomcat.te
|
|
|
a3dbbd |
+++ b/tomcat.te
|
|
|
a3dbbd |
@@ -51,6 +51,9 @@ optional_policy(`
|
|
|
a3dbbd |
# tomcat domain policy
|
|
|
a3dbbd |
#
|
|
|
a3dbbd |
|
|
|
a3dbbd |
+allow tomcat_t self:capability { dac_override setuid kill };
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+allow tomcat_t self:process { setcap signal signull };
|
|
|
a3dbbd |
allow tomcat_domain self:fifo_file rw_fifo_file_perms;
|
|
|
a3dbbd |
allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
a3dbbd |
|
|
|
a3dbbd |
diff --git a/virt.if b/virt.if
|
|
|
a3dbbd |
index 1d17889f3..c6792a5a3 100644
|
|
|
a3dbbd |
--- a/virt.if
|
|
|
a3dbbd |
+++ b/virt.if
|
|
|
a3dbbd |
@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
|
|
|
a3dbbd |
dontaudit $1 virtd_t:dir search_dir_perms;
|
|
|
a3dbbd |
dontaudit $1 virtd_t:file read_file_perms;
|
|
|
a3dbbd |
dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
|
|
|
a3dbbd |
+')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+#######################################
|
|
|
a3dbbd |
+## <summary>
|
|
|
a3dbbd |
+## Send to libvirt with a unix dgram socket.
|
|
|
a3dbbd |
+## </summary>
|
|
|
a3dbbd |
+## <param name="domain">
|
|
|
a3dbbd |
+## <summary>
|
|
|
a3dbbd |
+## Domain allowed access.
|
|
|
a3dbbd |
+## </summary>
|
|
|
a3dbbd |
+## </param>
|
|
|
a3dbbd |
+#
|
|
|
a3dbbd |
+interface(`virt_dgram_send',`
|
|
|
a3dbbd |
+ gen_require(`
|
|
|
a3dbbd |
+ type virtd_t, virt_var_run_t;
|
|
|
a3dbbd |
+ ')
|
|
|
a3dbbd |
+
|
|
|
a3dbbd |
+ files_search_pids($1)
|
|
|
a3dbbd |
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
|
|
a3dbbd |
')
|
|
|
a3dbbd |
\ No newline at end of file
|