devops
/
sponson
1
0
Fork 0
Code Issues 6 Pull Requests 0 Releases 11 Activity
Browse Source

Update sponson selinux and add systemdmachine patch

tags/0.5.0
Sam Black 3 years ago
parent
9d535dfaaf
commit
5650ba5548
Signed by: samwwwblack <samwwwblack@lapwing.org> GPG Key ID: 0FF0223994EA47D8
5 changed files with 48 additions and 3 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -1
      README.rst
  2. BIN
      selinux/sponson.pp
  3. +2
    -2
      selinux/sponson.te
  4. BIN
      selinux/systemdmachine.pp
  5. +42
    -0
      selinux/systemdmachine.te

+ 4
- 1
README.rst View File

@@ -62,10 +62,13 @@ you can build the module using

checkmodule -M -m -o {path to sponson}/selinux/sponson.mod {path to sponson}/selinux/sponson.te

semodule_package -o {path to sponson}/selinux/sponson.pp {path to sponson}/selinux/sponson.mod
semodule_package -o {path to sponson}/selinux/sponson.pp -m {path to sponson}/selinux/sponson.mod

sudo semodule -i {path to sponson}/selinux/sponson.pp

Fedora 25 also seems to have faults with `machinectl` accessing `/var/lib/machines`,
so you might want to also use the provided `systemdmachine.pp`.


Licence
=======


BIN
selinux/sponson.pp View File


+ 2
- 2
selinux/sponson.te View File

@@ -6,11 +6,11 @@ require {
type firewalld_t;
type systemd_machined_var_lib_t;
class dbus send_msg;
class dir { mounton read };
class dir { getattr mounton read };
}

#============= firewalld_t ==============
allow firewalld_t init_t:dbus send_msg;

#============= init_t ==============
allow init_t systemd_machined_var_lib_t:dir { mounton read };
allow init_t systemd_machined_var_lib_t:dir { getattr mounton read };

BIN
selinux/systemdmachine.pp View File


+ 42
- 0
selinux/systemdmachine.te View File

@@ -0,0 +1,42 @@

module systemdmachine 1.0;

require {
type tmpfs_t;
type devpts_t;
type systemd_machined_t;
type systemd_unit_file_t;
type var_lib_t;
type unconfined_service_t;
class dir search;
class process signal;
class lnk_file read;
class cap_userns { kill sys_admin sys_ptrace };
class chr_file open;
class file { getattr open read };
class sock_file write;
class service stop;
}

#============= systemd_machined_t ==============

allow systemd_machined_t devpts_t:chr_file open;

allow systemd_machined_t self:cap_userns { kill sys_admin sys_ptrace };

allow systemd_machined_t tmpfs_t:lnk_file read;

allow systemd_machined_t tmpfs_t:sock_file write;

allow systemd_machined_t unconfined_service_t:dir search;

allow systemd_machined_t unconfined_service_t:file { getattr open read };

allow systemd_machined_t unconfined_service_t:lnk_file read;

allow systemd_machined_t unconfined_service_t:process signal;

allow systemd_machined_t var_lib_t:lnk_file read;

allow systemd_machined_t systemd_unit_file_t:service stop;


Write Preview
Loading…
Cancel
Save