Vagrantfile: add a specific SELinux policy module
When using Vagrant to run virtual machines with SELinux enabled, several specific accesses need to be allowed. It does not make much sense to add the needed rules to the refpolicy, as they are very specific to the use of Vagrant to provision a virtual machine to test a policy. Therefore, create a dedicated module to allow the required accesses. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
parent
d1f92dae04
commit
7317bd64c0
|
@ -19,6 +19,9 @@ $install_refpolicy = <<-SHELL
|
||||||
make -C /vagrant install-headers
|
make -C /vagrant install-headers
|
||||||
semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp
|
semodule -s refpolicy -i /usr/share/selinux/refpolicy/*.pp
|
||||||
|
|
||||||
|
# Load the module specific to Vagrant VM
|
||||||
|
semodule -s refpolicy -i /vagrant/support/vagrant-vm.cil
|
||||||
|
|
||||||
if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null)
|
if ! (LANG=C sestatus -v | grep '^Loaded policy name:\s*refpolicy$' > /dev/null)
|
||||||
then
|
then
|
||||||
# Use the reference policy
|
# Use the reference policy
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
; SELinux policy module for running virtual machines with Vagrant
|
||||||
|
|
||||||
|
; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal.
|
||||||
|
; This leads sudo to directly using sshd pipes, as well as other processes
|
||||||
|
; spawned from the provision scripts. Define an attribute for those processes.
|
||||||
|
(typeattribute vagrant_provisioning_cmd_type)
|
||||||
|
(typeattributeset vagrant_provisioning_cmd_type (
|
||||||
|
load_policy_t
|
||||||
|
semanage_t
|
||||||
|
setfiles_t
|
||||||
|
sudodomain
|
||||||
|
))
|
||||||
|
(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write)))
|
||||||
|
|
||||||
|
; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would
|
||||||
|
; make sudo transition out of sysadm_sudo_t.
|
||||||
|
; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t
|
||||||
|
(optional sysadm_sudo_rsync_transition
|
||||||
|
(allow sysadm_t rsync_exec_t (file (entrypoint)))
|
||||||
|
(typetransition sysadm_sudo_t rsync_exec_t process sysadm_t)
|
||||||
|
)
|
Loading…
Reference in New Issue