Gentoo Archives: gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sat, 28 Nov 2020 23:09:33
Message-Id:	`1605517423.8fff7fea29cd303fb618520b0d792e6ee0cbf0a7.perfinion@gentoo`

1	commit: 8fff7fea29cd303fb618520b0d792e6ee0cbf0a7
2	Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Sat Sep 26 19:07:30 2020 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Nov 16 09:03:43 2020 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fff7fea
7
8	Allow pacemaker to map/read/write corosync shared memory files
9
10	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
11	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
12	Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
13
14	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
15	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
16
17	policy/modules/services/corosync.if \| 19 +++++++++++++++++++
18	policy/modules/services/pacemaker.te \| 1 +
19	2 files changed, 20 insertions(+)
20
21	diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
22	index f86dbed3..ee54bc9a 100644
23	--- a/policy/modules/services/corosync.if
24	+++ b/policy/modules/services/corosync.if
25	@@ -97,6 +97,25 @@ interface(`corosync_stream_connect',`
26	stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t)
27	')
28
29	+######################################
30	+## <summary>
31	+## Memmap, read and write corosync tmpfs files.
32	+## </summary>
33	+## <param name="domain">
34	+## <summary>
35	+## Domain allowed access.
36	+## </summary>
37	+## </param>
38	+#
39	+interface(`corosync_mmap_rw_tmpfs',`
40	+ gen_require(`
41	+ type corosync_tmpfs_t;
42	+ ')
43	+
44	+ fs_search_tmpfs($1)
45	+ mmap_rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
46	+')
47	+
48	######################################
49	## <summary>
50	## Read and write corosync tmpfs files.
51
52	diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
53	index 70d976ea..69d619a1 100644
54	--- a/policy/modules/services/pacemaker.te
55	+++ b/policy/modules/services/pacemaker.te
56	@@ -121,6 +121,7 @@ tunable_policy(`pacemaker_startstop_all_services',`
57
58	optional_policy(`
59	corosync_read_log(pacemaker_t)
60	+ corosync_mmap_rw_tmpfs(pacemaker_t)
61	corosync_stream_connect(pacemaker_t)
62	')

Report Message

Find on MARC Find on Google Groups