diff --git a/ctdb.if b/ctdb.if index 6b7d687..06895f3 100644 --- a/ctdb.if +++ b/ctdb.if @@ -55,6 +55,23 @@ interface(`ctdbd_signal',` allow $1 ctdbd_t:process signal; ') +####################################### +## +## Allow domain to sigchld ctdbd. +## +## +## +## Domain allowed access. +## +## +# +interface(`ctdbd_sigchld',` + gen_require(` + type ctdbd_t; + ') + allow $1 ctdbd_t:process sigchld; +') + ######################################## ## ## Read ctdbd's log files. diff --git a/glusterd.fc b/glusterd.fc index 8c8c6c9..52b4110 100644 --- a/glusterd.fc +++ b/glusterd.fc @@ -6,13 +6,17 @@ /usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) /usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + /opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) /var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) /var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) /var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if index fc9bf19..764ae00 100644 --- a/glusterd.if +++ b/glusterd.if @@ -158,6 +158,24 @@ interface(`glusterd_read_conf',` ###################################### ## +## Dontaudit Read /var/lib/glusterd files. +## +## +## +## Domain allowed access. +## +## +# +interface(`glusterd_dontaudit_read_lib_dirs',` + gen_require(` + type glusterd_var_lib_t; + ') + + dontaudit $1 glusterd_var_lib_t:dir list_dir_perms; +') + +###################################### +## ## Read and write /var/lib/glusterd files. ## ## diff --git a/glusterd.te b/glusterd.te index b974353..5c9d08d 100644 --- a/glusterd.te +++ b/glusterd.te @@ -62,7 +62,7 @@ files_type(glusterd_brick_t) allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; allow glusterd_t self:capability2 block_suspend; -allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; +allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; allow glusterd_t self:sem create_sem_perms; allow glusterd_t self:fifo_file rw_fifo_file_perms; allow glusterd_t self:tcp_socket { accept listen }; @@ -81,10 +81,8 @@ files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) allow glusterd_t glusterd_tmp_t:dir mounton; manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -logging_log_filetrans(glusterd_t, glusterd_log_t, dir) +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) @@ -103,6 +101,7 @@ manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) manage_blk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) @@ -240,12 +239,21 @@ optional_policy(` optional_policy(` policykit_dbus_chat(glusterd_t) ') + + optional_policy(` + unconfined_dbus_chat(glusterd_t) + ') ') optional_policy(` hostname_exec(glusterd_t) ') + +optional_policy(` + kerberos_read_keytab(glusterd_t) +') + optional_policy(` lvm_domtrans(glusterd_t) ') @@ -281,6 +289,7 @@ optional_policy(` rpc_domtrans_nfsd(glusterd_t) rpc_domtrans_rpcd(glusterd_t) rpc_manage_nfs_state_data(glusterd_t) + rpcbind_stream_connect(glusterd_t) ') optional_policy(` diff --git a/logrotate.te b/logrotate.te index 08c168f..71025ab 100644 --- a/logrotate.te +++ b/logrotate.te @@ -146,6 +146,8 @@ init_stream_connect(logrotate_t) miscfiles_read_hwdata(logrotate_t) +term_dontaudit_use_unallocated_ttys(logrotate_t) + userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) diff --git a/openvswitch.te b/openvswitch.te index 1b606d8..2d00be4 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -32,7 +32,7 @@ systemd_unit_file(openvswitch_unit_file_t) # openvswitch local policy # -allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource }; +allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource }; allow openvswitch_t self:capability2 block_suspend; allow openvswitch_t self:process { fork setsched setrlimit signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -92,6 +92,8 @@ files_read_kernel_modules(openvswitch_t) fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) +fs_manage_hugetlbfs_files(openvswitch_t) +fs_manage_hugetlbfs_dirs(openvswitch_t) auth_use_nsswitch(openvswitch_t) diff --git a/rhcs.te b/rhcs.te index 2c7b543..e55c17b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -319,6 +319,7 @@ optional_policy(` rpc_domtrans_nfsd(cluster_t) rpc_domtrans_rpcd(cluster_t) rpc_manage_nfs_state_data(cluster_t) + rpc_filetrans_var_lib_nfs_content(cluster_t) ') optional_policy(` diff --git a/rpc.if b/rpc.if index 50f25de..4f3c2b9 100644 --- a/rpc.if +++ b/rpc.if @@ -424,6 +424,24 @@ interface(`rpc_rw_gssd_keys',` allow $1 gssd_t:key { read search setattr view write }; ') +######################################## +## +## Transition to alsa named content +## +## +## +## Domain allowed access. +## +## +# +interface(`rpc_filetrans_var_lib_nfs_content',` + gen_require(` + type var_lib_nfs_t; + ') + + files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") +') + ####################################### ## ## All of the rules required to diff --git a/rpc.te b/rpc.te index 876a4e7..7f491b0 100644 --- a/rpc.te +++ b/rpc.te @@ -21,6 +21,13 @@ gen_tunable(gssd_read_tmp, true) ## gen_tunable(nfsd_anon_write, false) +## +##

+## Allow rpcd_t to manage fuse files +##

+## +gen_tunable(rpcd_use_fusefs, false) + attribute rpc_domain; type exports_t; @@ -135,6 +142,8 @@ manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) + # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) @@ -171,6 +180,13 @@ miscfiles_read_generic_certs(rpcd_t) userdom_signal_unpriv_users(rpcd_t) userdom_read_user_home_content_files(rpcd_t) +tunable_policy(`rpcd_use_fusefs',` + fs_manage_fusefs_dirs(rpcd_t) + fs_manage_fusefs_files(rpcd_t) + fs_read_fusefs_symlinks(rpcd_t) + fs_getattr_fusefs(rpcd_t) +') + ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) ') diff --git a/samba.te b/samba.te index bf7a710..aac4015 100644 --- a/samba.te +++ b/samba.te @@ -726,6 +726,7 @@ userdom_use_inherited_user_terminals(smbcontrol_t) optional_policy(` ctdbd_stream_connect(smbcontrol_t) + ctdbd_sigchld(smbcontrol_t) ') ######################################## diff --git a/sanlock.te b/sanlock.te index 2059657..423ad5e 100644 --- a/sanlock.te +++ b/sanlock.te @@ -81,6 +81,8 @@ domain_use_interactive_fds(sanlock_t) files_read_mnt_symlinks(sanlock_t) +fs_rw_cephfs_files(sanlock_t) + storage_raw_rw_fixed_disk(sanlock_t) dev_read_rand(sanlock_t)