MonetDB: Nov2019 - Add selinux policies suggested by setroublesh...

Sun, 24 Nov 2019 10:59:25 -0800 

Changeset: 75415562a428 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=75415562a428
Modified Files:
        buildtools/selinux/monetdb.te
Branch: Nov2019
Log Message:

Add selinux policies suggested by setroubleshoot.


diffs (42 lines):

diff --git a/buildtools/selinux/monetdb.te b/buildtools/selinux/monetdb.te
--- a/buildtools/selinux/monetdb.te
+++ b/buildtools/selinux/monetdb.te
@@ -1,4 +1,4 @@
-policy_module(monetdb, 0.6)
+policy_module(monetdb, 0.7)
 # The above line declares that this file is a SELinux policy file. Its
 # name is monetdb, so the file should be saved as monetdb.te
 
@@ -8,8 +8,10 @@ require {
        type tmp_t;
        type var_t;
        type user_home_t;
+       type user_home_dir_t;
        type unconfined_service_t;      # for EPEL 7
        type proc_t;                    # for EPEL 7
+       type cgroup_t;
        class dir { read };
        class fd { use };
        class fifo_file { getattr read write };
@@ -125,6 +127,7 @@ allow mserver5_t self:unix_stream_socket
 allow mserver5_t self:netlink_selinux_socket create_socket_perms;
 manage_dirs_pattern(mserver5_t, tmp_t, tmp_t)
 manage_sock_files_pattern(mserver5_t, tmp_t, tmp_t)
+allow mserver5_t tmp_t:file create;
 manage_sock_files_pattern(mserver5_t, mserver5_db_t, mserver5_db_t)
 allow mserver5_t monetdbd_t:fifo_file { read write getattr };
 allow mserver5_t monetdbd_t:unix_stream_socket { read write getopt shutdown };
@@ -132,10 +135,13 @@ allow mserver5_t var_t:dir { read };
 # we want to be able to read some cgroup files
 fs_search_cgroup_dirs(mserver5_t);
 fs_read_cgroup_files(mserver5_t);
+allow mserver5_t cgroup_t:dir search;
+allow mserver5_t self:process execmem;
 allow monetdbd_t var_t:dir { read };
 gen_tunable(mserver5_can_read_home, false)
 tunable_policy(`mserver5_can_read_home', `
     userdom_search_user_home_dirs(mserver5_t)
     allow mserver5_t user_home_t:file read_file_perms;
+    allow mserver5_t user_home_dir_t:dir search;
 ')
 allow monetdbd_t mserver5_t:unix_stream_socket { connectto };
_______________________________________________
checkin-list mailing list
checkin-list@monetdb.org
https://www.monetdb.org/mailman/listinfo/checkin-list

Reply via email to