rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   4e9cfe8cdc42810e47e4cc58017e3fb748642a87
  2.   SOURCES
  3.   policy-rhel-7.4.z-contrib.patch
Blob Blame History Raw 
diff --git a/certmonger.te b/certmonger.te
index 0803529e4..0585431e1 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -144,6 +144,7 @@ optional_policy(`
 optional_policy(`
 	pki_rw_tomcat_cert(certmonger_t)
 	pki_read_tomcat_lib_files(certmonger_t)
+    pki_tomcat_systemctl(certmonger_t)
 ')
 
 optional_policy(`
diff --git a/lldpad.te b/lldpad.te
index 42e5578f2..3399d597a 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -64,3 +64,7 @@ optional_policy(`
 optional_policy(`
     networkmanager_dgram_send(lldpad_t)
 ')
+
+optional_policy(`
+    virt_dgram_send(lldpad_t)
+')
diff --git a/pki.if b/pki.if
index f18fcc68f..f69ae0298 100644
--- a/pki.if
+++ b/pki.if
@@ -477,3 +477,27 @@ interface(`pki_stream_connect',`
 	files_search_pids($1)
 	stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
 ')
+
+########################################
+## <summary>
+##	Execute pki in the pkit_tomcat_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pki_tomcat_systemctl',`
+	gen_require(`
+		type pki_tomcat_t;
+		type pki_tomcat_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+    systemd_read_fifo_file_passwd_run($1)
+	allow $1 pki_tomcat_unit_file_t:file read_file_perms;
+	allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, pki_tomcat_t)
+')
diff --git a/tomcat.te b/tomcat.te
index 97bdd60c9..386c4b7ac 100644
--- a/tomcat.te
+++ b/tomcat.te
@@ -51,6 +51,9 @@ optional_policy(`
 # tomcat domain policy
 #
 
+allow tomcat_t self:capability { dac_override setuid kill };
+
+allow tomcat_t self:process { setcap signal signull };
 allow tomcat_domain self:fifo_file rw_fifo_file_perms;
 allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
 
diff --git a/virt.if b/virt.if
index 1d17889f3..c6792a5a3 100644
--- a/virt.if
+++ b/virt.if
@@ -1618,4 +1618,23 @@ interface(`virt_dontaudit_read_state',`
 	dontaudit $1 virtd_t:dir search_dir_perms;
 	dontaudit $1 virtd_t:file read_file_perms;
 	dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+##	Send to libvirt with a unix dgram socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_dgram_send',`
+	gen_require(`
+		type virtd_t, virt_var_run_t;
+	')
+
+	files_search_pids($1)
+	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
\ No newline at end of file

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation