1 |
commit: 8fff7fea29cd303fb618520b0d792e6ee0cbf0a7 |
2 |
Author: Dave Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Sat Sep 26 19:07:30 2020 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 16 09:03:43 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fff7fea |
7 |
|
8 |
Allow pacemaker to map/read/write corosync shared memory files |
9 |
|
10 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 |
11 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 |
12 |
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
16 |
|
17 |
policy/modules/services/corosync.if | 19 +++++++++++++++++++ |
18 |
policy/modules/services/pacemaker.te | 1 + |
19 |
2 files changed, 20 insertions(+) |
20 |
|
21 |
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if |
22 |
index f86dbed3..ee54bc9a 100644 |
23 |
--- a/policy/modules/services/corosync.if |
24 |
+++ b/policy/modules/services/corosync.if |
25 |
@@ -97,6 +97,25 @@ interface(`corosync_stream_connect',` |
26 |
stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t) |
27 |
') |
28 |
|
29 |
+###################################### |
30 |
+## <summary> |
31 |
+## Memmap, read and write corosync tmpfs files. |
32 |
+## </summary> |
33 |
+## <param name="domain"> |
34 |
+## <summary> |
35 |
+## Domain allowed access. |
36 |
+## </summary> |
37 |
+## </param> |
38 |
+# |
39 |
+interface(`corosync_mmap_rw_tmpfs',` |
40 |
+ gen_require(` |
41 |
+ type corosync_tmpfs_t; |
42 |
+ ') |
43 |
+ |
44 |
+ fs_search_tmpfs($1) |
45 |
+ mmap_rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) |
46 |
+') |
47 |
+ |
48 |
###################################### |
49 |
## <summary> |
50 |
## Read and write corosync tmpfs files. |
51 |
|
52 |
diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te |
53 |
index 70d976ea..69d619a1 100644 |
54 |
--- a/policy/modules/services/pacemaker.te |
55 |
+++ b/policy/modules/services/pacemaker.te |
56 |
@@ -121,6 +121,7 @@ tunable_policy(`pacemaker_startstop_all_services',` |
57 |
|
58 |
optional_policy(` |
59 |
corosync_read_log(pacemaker_t) |
60 |
+ corosync_mmap_rw_tmpfs(pacemaker_t) |
61 |
corosync_stream_connect(pacemaker_t) |
62 |
') |