diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc index 0ec5ba1..8a7177d 100644 --- a/policy/modules/services/ccs.fc +++ b/policy/modules/services/ccs.fc @@ -2,9 +2,5 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) -/usr/sbin/aisexec -- gen_context(system_u:object_r:ccs_exec_t,s0) - -/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0) - -/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0) -/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0) +/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) +/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 1e0ecd1..b7e76be 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -1,5 +1,5 @@ -policy_module(ccs, 1.4.0) +policy_module(ccs, 1.4.1) ######################################## # @@ -10,23 +10,21 @@ type ccs_t; type ccs_exec_t; init_daemon_domain(ccs_t, ccs_exec_t) -# conf files type cluster_conf_t; files_type(cluster_conf_t) -# tmp files type ccs_tmp_t; files_tmp_file(ccs_tmp_t) -# log files -type ccs_var_log_t; -logging_log_file(ccs_var_log_t) +type ccs_tmpfs_t; +files_tmpfs_file(ccs_tmpfs_t) -# var lib files type ccs_var_lib_t; logging_log_file(ccs_var_lib_t) -# pid files +type ccs_var_log_t; +logging_log_file(ccs_var_log_t) + type ccs_var_run_t; files_pid_file(ccs_var_run_t) @@ -35,7 +33,7 @@ files_pid_file(ccs_var_run_t) # ccs local policy # -allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin }; +allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; allow ccs_t self:process { signal setrlimit setsched }; dontaudit ccs_t self:process ptrace; allow ccs_t self:fifo_file rw_fifo_file_perms; @@ -55,17 +53,20 @@ manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) -# log files -manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) -allow ccs_t ccs_var_log_t:dir setattr; -logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) +manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) +fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file }) # var lib files manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) +allow ccs_t ccs_var_log_t:dir setattr; +manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) + # pid file manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) @@ -104,6 +105,9 @@ miscfiles_read_localization(ccs_t) sysnet_dns_name_resolve(ccs_t) +userdom_manage_unpriv_user_shared_mem(ccs_t) +userdom_manage_unpriv_user_semaphores(ccs_t) + ifdef(`hide_broken_symptoms', ` corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t)