Project

General

Profile

« Previous | Next » 

Revision e54934d3

Added by Lukas Zapletal about 8 years ago

Fixes #10443 - added OpenStack nova rules

This patch introduces new type for missing OpenStack port Compute
(Nova) on EL6, where no port type is provided.

View differences:

foreman-selinux-disable
if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
# Remove all user defined ports (including the default one)
/usr/sbin/semanage port -E | \
grep -E '(elasticsearch|docker)_port_t' | \
grep -E '(elasticsearch|docker|foreman_osapi_compute)_port_t' | \
sed s/-a/-d/g | \
/usr/sbin/semanage -S $selinuxvariant -i -
# Unload policy
foreman-selinux-enable
TMP=$(mktemp -t foreman-selinux-enable.XXXXXXXXXX)
trap "rm -rf '$TMP'" EXIT INT TERM
is_redhat_6() {
test x$(rpm -q --whatprovides redhat-release --qf '%{version}') = x6
}
# Load or upgrade foreman policy and set booleans.
#
# Dependant booleans must be managed in a separate transaction.
......
/usr/sbin/semanage port -E | grep -q docker_port_t || \
echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP
if is_redhat_6; then
/usr/sbin/semanage port -E | grep -q foreman_osapi_compute_port_t || \
echo "port -a -t foreman_osapi_compute_port_t -p tcp 8774" >> $TMP
fi
/usr/sbin/semanage -S $selinuxvariant -i $TMP
fi
done
foreman.te
type foreman_proxy_port_t;
corenet_port(foreman_proxy_port_t)
type foreman_osapi_compute_port_t;
corenet_port(foreman_osapi_compute_port_t)
require{
type bin_t;
type httpd_t;
......
tunable_policy(`passenger_can_connect_openstack',`
ifdef(`distro_rhel6', `
# keystone (identity service)
corenet_tcp_connect_commplex_port(passenger_t)
# all other ports not yet defined on rhel6
allow passenger_t foreman_osapi_compute_port_t:tcp_socket name_connect;
',`
# keystone (identity service)
corenet_tcp_connect_commplex_main_port(passenger_t)
# nova (compute service)
corenet_tcp_connect_osapi_compute_port(passenger_t)
')
')

Also available in: Unified diff