[Ovirt-devel] [PATCH node] allow ovirt-firstboot to run unconfined

Alan Pevec apevec at redhat.com
Thu Apr 2 10:55:40 UTC 2009 

Signed-off-by: Alan Pevec <apevec at redhat.com>
---
 Makefile.am           |    1 +
 ovirt-node-selinux.fc |    1 +
 ovirt-node-selinux.te |   25 ++++++++++++++++++++++---
 ovirt-node.spec.in    |    3 ++-
 4 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100644 ovirt-node-selinux.fc

diff --git a/Makefile.am b/Makefile.am
index af23ae4..d60abe9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ EXTRA_DIST =			\
   ovirt-node.spec		\
   ovirt-node.spec.in		\
   ovirt-node-selinux.te		\
+  ovirt-node-selinux.fc		\
   images/grub-splash.xpm.gz	\
   images/syslinux-vesa-splash.jpg	\
   scripts/collectd		\
diff --git a/ovirt-node-selinux.fc b/ovirt-node-selinux.fc
new file mode 100644
index 0000000..cf1ea96
--- /dev/null
+++ b/ovirt-node-selinux.fc
@@ -0,0 +1 @@
+/etc/rc\.d/init\.d/ovirt-firstboot             -- gen_context(system_u:object_r:ovirt_exec_t)
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
index 327c231..c6da141 100644
--- a/ovirt-node-selinux.te
+++ b/ovirt-node-selinux.te
@@ -1,14 +1,33 @@
-module ovirt 1.0.0;
+module ovirt 1.0.1;
 require {
     type fixed_disk_device_t;
     attribute file_type;
     type mount_t;
     type qemu_t;
     class blk_file { ioctl getattr setattr read write };
-    class file mounton;
+    class file { mounton getattr read write append entrypoint execute ioctl lock };
+    class chr_file { getattr read write append ioctl lock };
+    class fifo_file { getattr read  write append lock ioctl };
+    class lnk_file { getattr read };
+    class sock_file { getattr write };
+    class fd { use };
+    class process { sigchld signull transition noatsecure siginh rlimitinh };
+    class filesystem { getattr };
+    class dir { getattr search read lock ioctl };
+    class unix_stream_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } connectto };
+
+    type initrc_t;
+    type unconfined_t;
 }
 # Give qemu_t access to any block device
 allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
 # allow any file to be bindmounted (for /config)
 allow mount_t file_type:file mounton;
-
+# allow ovirt-firstboot to run unconfined
+# TODO restrict to ovirt_t
+#type ovirt_t;
+#domain_type(ovirt_t)
+#unconfined_domain_noaudit(ovirt_t)
+#domain_entry_file(ovirt_t,ovirt_exec_t)
+type ovirt_exec_t;
+init_daemon_domain(unconfined_t,ovirt_exec_t)
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 02e90ce..75fb56f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -13,6 +13,7 @@ Group:          Applications/System
 %define selinux_policyver %(sed -n 's,.*selinux-policy-\([^/]*\)/.*,\1,p' /usr/share/selinux/devel/policyhelp)
 %define modulename %{name}-selinux
 Source1:        %{modulename}.te
+Source2:        %{modulename}.fc
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 URL:            http://www.ovirt.org/
@@ -116,7 +117,7 @@ SELinux policy module supporting ovirt-node
 %setup -q
 
 mkdir SELinux
-cp -p %{SOURCE1} SELinux
+cp -p %{SOURCE1} %{SOURCE2} SELinux
 
 %build
 %configure
-- 
1.6.0.6

More information about the ovirt-devel mailing list