Revision 3129deef
Added by Sam Kottler about 11 years ago
rpms/selinux/.gitignore | ||
---|---|---|
*.pp
|
||
tmp
|
rpms/selinux/foreman.fc | ||
---|---|---|
foreman -- gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)
|
||
/var/log/foreman(/.*)? gen_context(system_u:object_r:httpd_foreman_script_log_t,s0)
|
||
/var/lib/foreman/db/(.*.sqlite3)? gen_context(system_u:object_r:foreman_db_t,s0)
|
||
/usr/share/foreman(/.*)? gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)
|
||
/etc/foreman(/.*)? gen_context(system_u:object_r:foreman_config_t,s0)
|
rpms/selinux/foreman.if | ||
---|---|---|
interface(`httpd_foreman_script_domtrans',`
|
||
gen_require(`
|
||
type httpd_foreman_script_t, httpd_foreman_script_exec_t;
|
||
')
|
||
|
||
corecmd_search_bin($1)
|
||
domtrans_pattern($1, httpd_foreman_script_exec_t, httpd_foreman_script_t)
|
||
')
|
rpms/selinux/foreman.sh | ||
---|---|---|
#!/bin/sh -e
|
||
|
||
DIRNAME=`dirname $0`
|
||
cd $DIRNAME
|
||
USAGE="$0 [ --update ]"
|
||
if [ `id -u` != 0 ]; then
|
||
echo 'You must be root to run this script'
|
||
exit 1
|
||
fi
|
||
|
||
if [ $# -eq 1 ]; then
|
||
if [ "$1" = "--update" ] ; then
|
||
time=`ls -l --time-style="+%x %X" foreman.te | awk '{ printf "%s %s", $6, $7 }'`
|
||
rules=`ausearch --start $time -m avc --raw -se foreman`
|
||
if [ x"$rules" != "x" ] ; then
|
||
echo "Found avc's to update policy with"
|
||
echo -e "$rules" | audit2allow -R
|
||
echo "Do you want these changes added to policy [y/n]?"
|
||
read ANS
|
||
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
|
||
echo "Updating policy"
|
||
echo -e "$rules" | audit2allow -R >> foreman.te
|
||
# Fall though and rebuild policy
|
||
else
|
||
exit 0
|
||
fi
|
||
else
|
||
echo "No new avcs found"
|
||
exit 0
|
||
fi
|
||
else
|
||
echo -e $USAGE
|
||
exit 1
|
||
fi
|
||
elif [ $# -ge 2 ] ; then
|
||
echo -e $USAGE
|
||
exit 1
|
||
fi
|
||
|
||
echo "Building and Loading Policy"
|
||
set -x
|
||
make -f /usr/share/selinux/devel/Makefile || exit
|
||
/usr/sbin/semodule -i foreman.pp
|
||
|
||
# Fixing the file context on foreman
|
||
/sbin/restorecon -F -R -v foreman
|
rpms/selinux/foreman.te | ||
---|---|---|
policy_module(foreman, 1.0.0)
|
||
|
||
require {
|
||
type setfiles_t;
|
||
type passenger_t;
|
||
type passenger_tmp_t;
|
||
type passenger_log_t;
|
||
type unconfined_t;
|
||
type httpd_t;
|
||
type devpts_t;
|
||
type exim_exec_t;
|
||
type hostname_exec_t;
|
||
type puppetmaster_exec_t;
|
||
type var_log_t;
|
||
type mysqld_var_run_t;
|
||
type mysqld_safe_t;
|
||
type mysqld_t;
|
||
type mysqld_db_t;
|
||
type postfix_exec_t;
|
||
type sendmail_exec_t;
|
||
type syslogd_t;
|
||
type sshd_t;
|
||
type ssh_port_t;
|
||
}
|
||
|
||
apache_content_template(foreman)
|
||
|
||
files_read_etc_files(httpd_foreman_script_t)
|
||
miscfiles_read_localization(httpd_foreman_script_t)
|
||
|
||
# Some basic aliases for different aspects of the filesystem to make things
|
||
# more clear.
|
||
typealias etc_t alias foreman_config_t;
|
||
|
||
type foreman_db_t;
|
||
files_type(foreman_db_t)
|
||
|
||
logging_send_syslog_msg(httpd_foreman_script_t)
|
||
type httpd_foreman_script_log_t;
|
||
logging_log_file(httpd_foreman_script_log_t)
|
||
|
||
# Allow Foreman to write to the SQlite databases
|
||
allow passenger_t foreman_db_t:dir { search append };
|
||
allow passenger_t foreman_db_t:file { write read open getattr create };
|
||
|
||
# httpd needs to write to local sockets
|
||
allow httpd_t passenger_tmp_t:sock_file write;
|
||
|
||
# Allow access to pseudo terminal devices to connect to local virt.
|
||
allow passenger_t devpts_t:dir search;
|
||
|
||
# Allow sending of email reports.
|
||
allow passenger_t exim_exec_t:file { getattr execute };
|
||
allow passenger_t sendmail_exec_t:file { getattr execute };
|
||
allow passenger_t postfix_exec_t:file { getattr execute };
|
||
|
||
# This is required for local MTA's to send mail from the machine.
|
||
allow passenger_t hostname_exec_t:file { read getattr open execute execute_no_trans };
|
||
|
||
allow passenger_t passenger_tmp_t:sock_file { write create unlink getattr setattr };
|
||
|
||
# Allow passenger to interact with the master.
|
||
allow passenger_t puppetmaster_exec_t:file { read getattr open execute execute_no_trans };
|
||
|
||
allow passenger_t self:capability sys_resource;
|
||
|
||
# The read the code (and potentially modules) from /usr/share.
|
||
allow passenger_t usr_t:dir { open read getattr };
|
||
allow passenger_t usr_t:file { open read getattr };
|
||
|
||
# Allow Foreman to write to /var/log
|
||
allow passenger_t var_log_t:file { open append getattr };
|
||
|
||
allow passenger_t mysqld_db_t:dir search;
|
||
allow passenger_t mysqld_safe_t:dir { getattr search };
|
||
allow passenger_t mysqld_safe_t:file { read open };
|
||
allow passenger_t mysqld_t:dir { getattr search };
|
||
allow passenger_t mysqld_t:file { read open };
|
||
allow passenger_t mysqld_var_run_t:sock_file write;
|
||
allow passenger_t mysqld_t:unix_stream_socket connectto;
|
||
|
||
allow passenger_t httpd_foreman_script_exec_t:dir { read search open getattr };
|
||
allow passenger_t httpd_foreman_script_exec_t:file { read getattr open };
|
||
allow passenger_t httpd_foreman_script_exec_t:lnk_file read;
|
||
|
||
allow passenger_t syslogd_t:dir { getattr search };
|
||
|
||
allow passenger_t sshd_t:file { read open };
|
||
allow passenger_t ssh_port_t:tcp_socket name_connect;
|
||
|
||
allow passenger_t self:tcp_socket listen;
|
Also available in: Unified diff
Fixes #2125: add support for running Foreman with selinux enabled