24 lines
940 B
Plaintext
24 lines
940 B
Plaintext
; SELinux policy module for running virtual machines with Vagrant
|
|
|
|
; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal.
|
|
; This leads sudo to directly using sshd pipes, as well as other processes
|
|
; spawned from the provision scripts. Define an attribute for those processes.
|
|
(typeattribute vagrant_provisioning_cmd_type)
|
|
(typeattributeset vagrant_provisioning_cmd_type (
|
|
dhcpc_t
|
|
ifconfig_t
|
|
load_policy_t
|
|
semanage_t
|
|
setfiles_t
|
|
sudodomain
|
|
))
|
|
(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write)))
|
|
|
|
; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would
|
|
; make sudo transition out of sysadm_sudo_t.
|
|
; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t
|
|
(optional sysadm_sudo_rsync_transition
|
|
(allow sysadm_t rsync_exec_t (file (entrypoint)))
|
|
(typetransition sysadm_sudo_t rsync_exec_t process sysadm_t)
|
|
)
|