Revision 4b2eac90
Added by Lukas Zapletal about 10 years ago
foreman.fc | ||
---|---|---|
|
||
/var/run/foreman(/.*)? gen_context(system_u:object_r:foreman_var_run_t,s0)
|
||
|
||
/usr/share/foreman/extras/noVNC/websockify\.py gen_context(system_u:object_r:websockify_exec_t,s0)
|
||
/usr/share/foreman/script(/.*)? gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)
|
||
|
||
# Passenger non-SCL file contexts
|
foreman.te | ||
---|---|---|
## </desc>
|
||
gen_tunable(httpd_run_foreman, true)
|
||
|
||
## <desc>
|
||
## <p>
|
||
## Determine whether passenger can connect to TCP ports
|
||
## other than specified in the policy.
|
||
## </p>
|
||
## </desc>
|
||
gen_tunable(passenger_can_connect_all, false)
|
||
|
||
# define types for foreman scripts
|
||
apache_content_template(foreman)
|
||
|
||
... | ... | |
|
||
miscfiles_read_localization(passenger_t)
|
||
|
||
# Allow Foreman to connect to PostgreSQL
|
||
corenet_tcp_connect_postgresql_port(passenger_t)
|
||
corenet_tcp_connect_ssh_port(passenger_t)
|
||
|
||
optional_policy(`
|
||
postgresql_stream_connect(passenger_t)
|
||
')
|
||
|
||
# Allow Foreman to connect anywhere when bool is set
|
||
tunable_policy(`passenger_can_connect_all',`
|
||
corenet_tcp_connect_all_ports(passenger_t)
|
||
')
|
||
|
||
# The read the code (and potentially modules) from /usr/share.
|
||
files_read_usr_files(passenger_t)
|
||
|
||
... | ... | |
manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
|
||
manage_files_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
||
manage_dirs_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
||
|
||
# Allow Foreman to connect to hosts and guests
|
||
corenet_tcp_connect_virt_port(passenger_t)
|
||
corenet_tcp_connect_ssh_port(passenger_t)
|
||
|
||
# Allow Foreman to write to the SQlite databases
|
||
read_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
||
write_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
||
... | ... | |
corecmd_search_bin(passenger_t)
|
||
domtrans_pattern(passenger_t, puppetmaster_exec_t, puppetmaster_t)
|
||
')
|
||
|
||
#######################################
|
||
#
|
||
# Websockify
|
||
#
|
||
|
||
type websockify_t;
|
||
type websockify_exec_t;
|
||
role system_r types websockify_t;
|
||
|
||
application_domain(websockify_t, websockify_exec_t)
|
||
domtrans_pattern(passenger_t, websockify_exec_t, websockify_t)
|
||
|
||
require {
|
||
type vnc_port_t;
|
||
}
|
||
|
||
allow websockify_t self:netlink_route_socket { bind create getattr nlmsg_read };
|
||
allow websockify_t self:tcp_socket { setopt bind create listen accept connect shutdown };
|
||
allow websockify_t self:udp_socket { getattr ioctl create connect };
|
||
|
||
corenet_tcp_bind_generic_node(websockify_t)
|
||
corenet_tcp_connect_vnc_port(websockify_t)
|
||
corenet_tcp_bind_vnc_port(websockify_t)
|
||
dev_read_urand(websockify_t)
|
||
kernel_read_system_state(websockify_t)
|
||
logging_send_syslog_msg(websockify_t)
|
||
miscfiles_read_localization(websockify_t)
|
||
sysnet_read_config(websockify_t)
|
||
abrt_stream_connect(websockify_t)
|
Also available in: Unified diff
Fixes #4569 - websockify rules