packages/pcp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pcp/Add-pcp_domain-selinux-policy.patch
lingsheng 639da1255a Add pcp_domain selinux policy
2021-11-02 14:43:15 +08:00

56 lines
2.1 KiB
Diff
Raw Blame History

From 630e0e4e304c751127329009000dc0abcb5a62dc Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Tue, 8 Jun 2021 10:39:37 +0800
Subject: [PATCH] Add pcp_domain selinux policy
---
src/selinux/pcpupstream.te.in | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 8a8cc22..77ede46 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -1,6 +1,9 @@
module pcpupstream @PACKAGE_VERSION@;
require {
+ attribute domain;
+ attribute pcp_domain;
+
type pcp_pmcd_t;
type user_home_t;
type user_home_dir_t; #RHBZ1488116
@@ -79,7 +82,7 @@ require {
type system_cronjob_t;
type xdm_t;
type postgresql_t;
- class sem { unix_read associate getattr };
+ class sem { unix_read associate getattr read};
class lnk_file { read getattr };
class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
class dir { add_name open read search write getattr };
@@ -93,7 +96,7 @@ require {
@PCP_SOCK_FILE_GETATTR@
@PCP_CLASS_STATUS@
class tcp_socket { name_bind name_connect };
- class shm { unix_read associate getattr };
+ class shm { unix_read associate getattr read};
class filesystem mount;
class blk_file { ioctl open read };
class msgq { unix_read };
@@ -286,6 +289,10 @@ allow pcp_pmcd_t postgresql_t:shm { associate getattr unix_read };
#type=AVC msg=audit(...): avc: denied { connectto } for pid=NNN comm="python" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket
allow pcp_pmcd_t postgresql_t:unix_stream_socket connectto;
+# allow pcp_pmcd_t domain to read shared memory and semaphores of all domain on system
+allow pcp_domain domain:shm r_sem_perms;
+allow pcp_domain domain:sem r_shm_perms;
+
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
allow pcp_pmlogger_t self:capability kill;
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink