[Ovirt-devel] [PATCH node] allow ovirt-firstboot to run unconfined
Alan Pevec
apevec at redhat.com
Thu Apr 2 10:55:40 UTC 2009
Signed-off-by: Alan Pevec <apevec at redhat.com>
---
Makefile.am | 1 +
ovirt-node-selinux.fc | 1 +
ovirt-node-selinux.te | 25 ++++++++++++++++++++++---
ovirt-node.spec.in | 3 ++-
4 files changed, 26 insertions(+), 4 deletions(-)
create mode 100644 ovirt-node-selinux.fc
diff --git a/Makefile.am b/Makefile.am
index af23ae4..d60abe9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -23,6 +23,7 @@ EXTRA_DIST = \
ovirt-node.spec \
ovirt-node.spec.in \
ovirt-node-selinux.te \
+ ovirt-node-selinux.fc \
images/grub-splash.xpm.gz \
images/syslinux-vesa-splash.jpg \
scripts/collectd \
diff --git a/ovirt-node-selinux.fc b/ovirt-node-selinux.fc
new file mode 100644
index 0000000..cf1ea96
--- /dev/null
+++ b/ovirt-node-selinux.fc
@@ -0,0 +1 @@
+/etc/rc\.d/init\.d/ovirt-firstboot -- gen_context(system_u:object_r:ovirt_exec_t)
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
index 327c231..c6da141 100644
--- a/ovirt-node-selinux.te
+++ b/ovirt-node-selinux.te
@@ -1,14 +1,33 @@
-module ovirt 1.0.0;
+module ovirt 1.0.1;
require {
type fixed_disk_device_t;
attribute file_type;
type mount_t;
type qemu_t;
class blk_file { ioctl getattr setattr read write };
- class file mounton;
+ class file { mounton getattr read write append entrypoint execute ioctl lock };
+ class chr_file { getattr read write append ioctl lock };
+ class fifo_file { getattr read write append lock ioctl };
+ class lnk_file { getattr read };
+ class sock_file { getattr write };
+ class fd { use };
+ class process { sigchld signull transition noatsecure siginh rlimitinh };
+ class filesystem { getattr };
+ class dir { getattr search read lock ioctl };
+ class unix_stream_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } connectto };
+
+ type initrc_t;
+ type unconfined_t;
}
# Give qemu_t access to any block device
allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
# allow any file to be bindmounted (for /config)
allow mount_t file_type:file mounton;
-
+# allow ovirt-firstboot to run unconfined
+# TODO restrict to ovirt_t
+#type ovirt_t;
+#domain_type(ovirt_t)
+#unconfined_domain_noaudit(ovirt_t)
+#domain_entry_file(ovirt_t,ovirt_exec_t)
+type ovirt_exec_t;
+init_daemon_domain(unconfined_t,ovirt_exec_t)
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 02e90ce..75fb56f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -13,6 +13,7 @@ Group: Applications/System
%define selinux_policyver %(sed -n 's,.*selinux-policy-\([^/]*\)/.*,\1,p' /usr/share/selinux/devel/policyhelp)
%define modulename %{name}-selinux
Source1: %{modulename}.te
+Source2: %{modulename}.fc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
URL: http://www.ovirt.org/
@@ -116,7 +117,7 @@ SELinux policy module supporting ovirt-node
%setup -q
mkdir SELinux
-cp -p %{SOURCE1} SELinux
+cp -p %{SOURCE1} %{SOURCE2} SELinux
%build
%configure
--
1.6.0.6
More information about the ovirt-devel
mailing list