Revision 4b2eac90
Added by Lukas Zapletal about 10 years ago
| foreman.fc | ||
|---|---|---|
|
|
||
|
/var/run/foreman(/.*)? gen_context(system_u:object_r:foreman_var_run_t,s0)
|
||
|
|
||
|
/usr/share/foreman/extras/noVNC/websockify\.py gen_context(system_u:object_r:websockify_exec_t,s0)
|
||
|
/usr/share/foreman/script(/.*)? gen_context(system_u:object_r:httpd_foreman_script_exec_t,s0)
|
||
|
|
||
|
# Passenger non-SCL file contexts
|
||
| foreman.te | ||
|---|---|---|
|
## </desc>
|
||
|
gen_tunable(httpd_run_foreman, true)
|
||
|
|
||
|
## <desc>
|
||
|
## <p>
|
||
|
## Determine whether passenger can connect to TCP ports
|
||
|
## other than specified in the policy.
|
||
|
## </p>
|
||
|
## </desc>
|
||
|
gen_tunable(passenger_can_connect_all, false)
|
||
|
|
||
|
# define types for foreman scripts
|
||
|
apache_content_template(foreman)
|
||
|
|
||
| ... | ... | |
|
|
||
|
miscfiles_read_localization(passenger_t)
|
||
|
|
||
|
# Allow Foreman to connect to PostgreSQL
|
||
|
corenet_tcp_connect_postgresql_port(passenger_t)
|
||
|
corenet_tcp_connect_ssh_port(passenger_t)
|
||
|
|
||
|
optional_policy(`
|
||
|
postgresql_stream_connect(passenger_t)
|
||
|
')
|
||
|
|
||
|
# Allow Foreman to connect anywhere when bool is set
|
||
|
tunable_policy(`passenger_can_connect_all',`
|
||
|
corenet_tcp_connect_all_ports(passenger_t)
|
||
|
')
|
||
|
|
||
|
# The read the code (and potentially modules) from /usr/share.
|
||
|
files_read_usr_files(passenger_t)
|
||
|
|
||
| ... | ... | |
|
manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
|
||
|
manage_files_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
||
|
manage_dirs_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
||
|
|
||
|
# Allow Foreman to connect to hosts and guests
|
||
|
corenet_tcp_connect_virt_port(passenger_t)
|
||
|
corenet_tcp_connect_ssh_port(passenger_t)
|
||
|
|
||
|
# Allow Foreman to write to the SQlite databases
|
||
|
read_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
||
|
write_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
||
| ... | ... | |
|
corecmd_search_bin(passenger_t)
|
||
|
domtrans_pattern(passenger_t, puppetmaster_exec_t, puppetmaster_t)
|
||
|
')
|
||
|
|
||
|
#######################################
|
||
|
#
|
||
|
# Websockify
|
||
|
#
|
||
|
|
||
|
type websockify_t;
|
||
|
type websockify_exec_t;
|
||
|
role system_r types websockify_t;
|
||
|
|
||
|
application_domain(websockify_t, websockify_exec_t)
|
||
|
domtrans_pattern(passenger_t, websockify_exec_t, websockify_t)
|
||
|
|
||
|
require {
|
||
|
type vnc_port_t;
|
||
|
}
|
||
|
|
||
|
allow websockify_t self:netlink_route_socket { bind create getattr nlmsg_read };
|
||
|
allow websockify_t self:tcp_socket { setopt bind create listen accept connect shutdown };
|
||
|
allow websockify_t self:udp_socket { getattr ioctl create connect };
|
||
|
|
||
|
corenet_tcp_bind_generic_node(websockify_t)
|
||
|
corenet_tcp_connect_vnc_port(websockify_t)
|
||
|
corenet_tcp_bind_vnc_port(websockify_t)
|
||
|
dev_read_urand(websockify_t)
|
||
|
kernel_read_system_state(websockify_t)
|
||
|
logging_send_syslog_msg(websockify_t)
|
||
|
miscfiles_read_localization(websockify_t)
|
||
|
sysnet_read_config(websockify_t)
|
||
|
abrt_stream_connect(websockify_t)
|
||
Also available in: Unified diff
Fixes #4569 - websockify rules