Alan Pevec
2009-Apr-02 10:55 UTC
[Ovirt-devel] [PATCH node] allow ovirt-firstboot to run unconfined
Signed-off-by: Alan Pevec <apevec at redhat.com> --- Makefile.am | 1 + ovirt-node-selinux.fc | 1 + ovirt-node-selinux.te | 25 ++++++++++++++++++++++--- ovirt-node.spec.in | 3 ++- 4 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 ovirt-node-selinux.fc diff --git a/Makefile.am b/Makefile.am index af23ae4..d60abe9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -23,6 +23,7 @@ EXTRA_DIST = \ ovirt-node.spec \ ovirt-node.spec.in \ ovirt-node-selinux.te \ + ovirt-node-selinux.fc \ images/grub-splash.xpm.gz \ images/syslinux-vesa-splash.jpg \ scripts/collectd \ diff --git a/ovirt-node-selinux.fc b/ovirt-node-selinux.fc new file mode 100644 index 0000000..cf1ea96 --- /dev/null +++ b/ovirt-node-selinux.fc @@ -0,0 +1 @@ +/etc/rc\.d/init\.d/ovirt-firstboot -- gen_context(system_u:object_r:ovirt_exec_t) diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te index 327c231..c6da141 100644 --- a/ovirt-node-selinux.te +++ b/ovirt-node-selinux.te @@ -1,14 +1,33 @@ -module ovirt 1.0.0; +module ovirt 1.0.1; require { type fixed_disk_device_t; attribute file_type; type mount_t; type qemu_t; class blk_file { ioctl getattr setattr read write }; - class file mounton; + class file { mounton getattr read write append entrypoint execute ioctl lock }; + class chr_file { getattr read write append ioctl lock }; + class fifo_file { getattr read write append lock ioctl }; + class lnk_file { getattr read }; + class sock_file { getattr write }; + class fd { use }; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class filesystem { getattr }; + class dir { getattr search read lock ioctl }; + class unix_stream_socket { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } connectto }; + + type initrc_t; + type unconfined_t; } # Give qemu_t access to any block device allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write }; # allow any file to be bindmounted (for /config) allow mount_t file_type:file mounton; - +# allow ovirt-firstboot to run unconfined +# TODO restrict to ovirt_t +#type ovirt_t; +#domain_type(ovirt_t) +#unconfined_domain_noaudit(ovirt_t) +#domain_entry_file(ovirt_t,ovirt_exec_t) +type ovirt_exec_t; +init_daemon_domain(unconfined_t,ovirt_exec_t) diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in index 02e90ce..75fb56f 100644 --- a/ovirt-node.spec.in +++ b/ovirt-node.spec.in @@ -13,6 +13,7 @@ Group: Applications/System %define selinux_policyver %(sed -n 's,.*selinux-policy-\([^/]*\)/.*,\1,p' /usr/share/selinux/devel/policyhelp) %define modulename %{name}-selinux Source1: %{modulename}.te +Source2: %{modulename}.fc BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot URL: http://www.ovirt.org/ @@ -116,7 +117,7 @@ SELinux policy module supporting ovirt-node %setup -q mkdir SELinux -cp -p %{SOURCE1} SELinux +cp -p %{SOURCE1} %{SOURCE2} SELinux %build %configure -- 1.6.0.6