devops
/
sponson
1
0
Fork 0
Code Issues 6 Pull Requests Releases Activity
Browse Source

Update sponson selinux and add systemdmachine patch

develop
Sam Black 5 years ago
parent
9d535dfaaf
commit
5650ba5548
Signed by: samwwwblack GPG Key ID: 0FF0223994EA47D8
5 changed files with 48 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      README.rst
  2. BIN
      selinux/sponson.pp
  3. 4
      selinux/sponson.te
  4. BIN
      selinux/systemdmachine.pp
  5. 42
      selinux/systemdmachine.te

5
README.rst
View File

@ -62,10 +62,13 @@ you can build the module using
checkmodule -M -m -o {path to sponson}/selinux/sponson.mod {path to sponson}/selinux/sponson.te
semodule_package -o {path to sponson}/selinux/sponson.pp {path to sponson}/selinux/sponson.mod
semodule_package -o {path to sponson}/selinux/sponson.pp -m {path to sponson}/selinux/sponson.mod
sudo semodule -i {path to sponson}/selinux/sponson.pp
Fedora 25 also seems to have faults with `machinectl` accessing `/var/lib/machines`,
so you might want to also use the provided `systemdmachine.pp`.
Licence
=======

BIN
selinux/sponson.pp
View File

Binary file not shown.

4
selinux/sponson.te
View File

@ -6,11 +6,11 @@ require {
type firewalld_t;
type systemd_machined_var_lib_t;
class dbus send_msg;
class dir { mounton read };
class dir { getattr mounton read };
}
#============= firewalld_t ==============
allow firewalld_t init_t:dbus send_msg;
#============= init_t ==============
allow init_t systemd_machined_var_lib_t:dir { mounton read };
allow init_t systemd_machined_var_lib_t:dir { getattr mounton read };

BIN
selinux/systemdmachine.pp
View File

Binary file not shown.

42
selinux/systemdmachine.te
View File

@ -0,0 +1,42 @@
module systemdmachine 1.0;
require {
type tmpfs_t;
type devpts_t;
type systemd_machined_t;
type systemd_unit_file_t;
type var_lib_t;
type unconfined_service_t;
class dir search;
class process signal;
class lnk_file read;
class cap_userns { kill sys_admin sys_ptrace };
class chr_file open;
class file { getattr open read };
class sock_file write;
class service stop;
}
#============= systemd_machined_t ==============
allow systemd_machined_t devpts_t:chr_file open;
allow systemd_machined_t self:cap_userns { kill sys_admin sys_ptrace };
allow systemd_machined_t tmpfs_t:lnk_file read;
allow systemd_machined_t tmpfs_t:sock_file write;
allow systemd_machined_t unconfined_service_t:dir search;
allow systemd_machined_t unconfined_service_t:file { getattr open read };
allow systemd_machined_t unconfined_service_t:lnk_file read;
allow systemd_machined_t unconfined_service_t:process signal;
allow systemd_machined_t var_lib_t:lnk_file read;
allow systemd_machined_t systemd_unit_file_t:service stop;
Write Preview
Loading…
Cancel
Save