diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 5220c9d..05f7296 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -18,6 +18,25 @@ interface(`corosync_domtrans',` domtrans_pattern($1, corosync_exec_t, corosync_t) ') +###################################### +## +## Execute corosync in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`corosync_exec',` + gen_require(` + type corosync_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, corosync_exec_t) +') + ####################################### ## ## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te index fdb0dcb..ed9dd2f 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -117,6 +117,7 @@ optional_policy(` rhcs_rw_cluster_shm(corosync_t) rhcs_rw_cluster_semaphores(corosync_t) rhcs_stream_connect_cluster(corosync_t) + rhcs_read_cluster_lib_files(corosync_t) ') optional_policy(` diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc index b19961e..a8676c7 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc @@ -10,6 +10,7 @@ /var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/log/cluster/.*\.*log <> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index 6928301..d8b97c2 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -434,3 +434,22 @@ interface(`rhcs_read_qdiskd_tmpfs_files',` allow $1 qdiskd_tmpfs_t:file read_file_perms; ') + +###################################### +## +## Allow domain to read cluster lib files +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_read_cluster_lib_files',` + gen_require(` + type cluster_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 68f2b99..1ebc84d 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -35,6 +35,10 @@ rhcs_domain_template(qdiskd) type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) +# type for cluster lib files +type cluster_var_lib_t; +files_type(cluster_var_lib_t) + ##################################### # # dlm_controld local policy @@ -105,6 +109,11 @@ tunable_policy(`fenced_can_network_connect',` corenet_tcp_connect_all_ports(fenced_t) ') +# needed by fence_scsi +optional_policy(` + corosync_exec(fenced_t) +') + optional_policy(` ccs_read_config(fenced_t) ') @@ -223,6 +232,9 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms; +manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) +manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) + logging_send_syslog_msg(cluster_domain) miscfiles_read_localization(cluster_domain)