nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
d48b57a5bd
selinux-refpolicy/policy/modules/admin/cloudinit.if
Chris PeBenito 0c41682fc4 cloudinit: Add permissions derived from sysadm. 
Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2024-02-22 09:13:38 -05:00

204 lines
4.1 KiB
Plaintext
Raw Blame History

## <summary>Init scripts for cloud VMs</summary>
########################################
## <summary>
## Read and write inherited cloud-init pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_rw_inherited_pipes',`
gen_require(`
type cloud_init_t;
')
allow $1 cloud_init_t:fifo_file rw_inherited_fifo_file_perms;
allow $1 cloud_init_t:fd use;
')
########################################
## <summary>
## Create cloud-init runtime directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_create_runtime_dirs',`
gen_require(`
type cloud_init_runtime_t;
')
files_search_runtime($1)
allow $1 cloud_init_runtime_t:dir create_dir_perms;
')
########################################
## <summary>
## Write cloud-init runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_write_runtime_files',`
gen_require(`
type cloud_init_runtime_t;
')
files_search_runtime($1)
write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
')
########################################
## <summary>
## Read and write cloud-init runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_rw_runtime_files',`
gen_require(`
type cloud_init_runtime_t;
')
files_search_runtime($1)
rw_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
')
########################################
## <summary>
## Create cloud-init runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_create_runtime_files',`
gen_require(`
type cloud_init_runtime_t;
')
files_search_runtime($1)
create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
')
#######################################
## <summary>
## Create files in /run with the type used for
## cloud-init runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`cloudinit_filetrans_runtime',`
gen_require(`
type cloud_init_runtime_t;
')
files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3)
')
########################################
## <summary>
## Get the attribute of cloud-init state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_getattr_state_files',`
gen_require(`
type cloud_init_state_t;
')
files_search_var_lib($1)
allow $1 cloud_init_state_t:dir list_dir_perms;
allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
allow $1 cloud_init_state_t:file getattr;
')
########################################
## <summary>
## Write inherited cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_write_inherited_tmp_files',`
gen_require(`
type cloud_init_t, cloud_init_tmp_t;
')
allow $1 cloud_init_t:fd use;
allow $1 cloud_init_tmp_t:file write_inherited_file_perms;
')
########################################
## <summary>
## Read and write cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_rw_tmp_files',`
gen_require(`
type cloud_init_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
')
########################################
## <summary>
## Create cloud-init temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cloudinit_create_tmp_files',`
gen_require(`
type cloud_init_tmp_t;
')
files_search_tmp($1)
create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
')
Reference in New Issue View Git Blame Copy Permalink