From 630e0e4e304c751127329009000dc0abcb5a62dc Mon Sep 17 00:00:00 2001 From: lingsheng Date: Tue, 8 Jun 2021 10:39:37 +0800 Subject: [PATCH] Add pcp_domain selinux policy --- src/selinux/pcpupstream.te.in | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in index 8a8cc22..77ede46 100644 --- a/src/selinux/pcpupstream.te.in +++ b/src/selinux/pcpupstream.te.in @@ -1,6 +1,9 @@ module pcpupstream @PACKAGE_VERSION@; require { + attribute domain; + attribute pcp_domain; + type pcp_pmcd_t; type user_home_t; type user_home_dir_t; #RHBZ1488116 @@ -79,7 +82,7 @@ require { type system_cronjob_t; type xdm_t; type postgresql_t; - class sem { unix_read associate getattr }; + class sem { unix_read associate getattr read}; class lnk_file { read getattr }; class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ }; class dir { add_name open read search write getattr }; @@ -93,7 +96,7 @@ require { @PCP_SOCK_FILE_GETATTR@ @PCP_CLASS_STATUS@ class tcp_socket { name_bind name_connect }; - class shm { unix_read associate getattr }; + class shm { unix_read associate getattr read}; class filesystem mount; class blk_file { ioctl open read }; class msgq { unix_read }; @@ -286,6 +289,10 @@ allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read }; #type=AVC msg=audit(...): avc: denied { connectto } for pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto; +# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system +allow pcp_domain domain:shm r_sem_perms; +allow pcp_domain domain:sem r_shm_perms; + #============= pcp_pmlogger_t ============== allow pcp_pmlogger_t kmsg_device_t:chr_file { open write }; allow pcp_pmlogger_t self:capability kill; -- 2.23.0