nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updates for corosync to work in enforcing

Browse Source 
Allow corosync to map its own shared memory

Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc:  denied  { map } for  pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Setup corosync lock file type

Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { read } for  pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { search } for  pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { add_name } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { create } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
Dave Sugar 2020-09-26 14:55:35 -04:00
parent 14a45a594b
commit ea1e0e7a9b
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
policy/modules/services/corosync.fc
View File

@ -6,8 +6,15 @@
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
ifdef(`distro_redhat',`
/usr/share/corosync/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/share/corosync/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
')
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
/var/lock/subsys/corosync -- gen_context(system_u:object_r:corosync_lock_t,s0)
/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0)
/run/cman_.* -s gen_context(system_u:object_r:corosync_runtime_t,s0)

7
policy/modules/services/corosync.te
View File

@ -13,6 +13,9 @@ domain_obj_id_change_exemption(corosync_t)
type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t)
type corosync_lock_t;
files_lock_file(corosync_lock_t)
type corosync_runtime_t alias corosync_var_run_t;
files_runtime_file(corosync_runtime_t)
@ -43,6 +46,9 @@ allow corosync_t self:shm create_shm_perms;
allow corosync_t self:unix_dgram_socket sendto;
allow corosync_t self:unix_stream_socket { accept connectto listen };
manage_files_pattern(corosync_t, corosync_lock_t, corosync_lock_t)
files_lock_filetrans(corosync_t, corosync_lock_t, file)
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
@ -50,6 +56,7 @@ files_tmp_filetrans(corosync_t, corosync_tmp_t, { dir file })
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
mmap_read_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)