forked from Normation/rudder
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
37 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| /var/rudder/inventories/accepted-nodes-updates gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) | ||
| /var/rudder/inventories/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) | ||
| /var/rudder/reports/incoming gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) | ||
| /var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) | ||
| /opt/rudder/etc/uuid.hive gen_context(system_u:object_r:httpd_sys_content_t,s0) | ||
|
|
||
| /var/log/rudder/apache2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) | ||
| /opt/rudder/etc/uuid.hive -- gen_context(system_u:object_r:httpd_sys_content_t,s0) | ||
| /opt/rudder/bin/rudder-relayd -- gen_context(system_u:object_r:rudder_relayd_exec_t,s0) | ||
| /opt/rudder/etc/relay(/.*)? gen_context(system_u:object_r:rudder_relayd_etc_t,s0) | ||
| /var/rudder/inventories(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) | ||
| /var/rudder/reports(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) | ||
| /var/rudder/lib/ssl/allnodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) | ||
| /var/rudder/lib/relay/nodeslist.json -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,35 @@ | ||
| # Source file for rudder-webapp.pp | ||
| # # Generate rudder-webapp.pp by running: | ||
| # # make -f /usr/share/selinux/devel/Makefile | ||
|
|
||
| module rudder-relay 1.0; | ||
| policy_module(rudder-relay, 1.0.0) | ||
|
|
||
| require { | ||
| type httpd_log_t; | ||
| type httpd_sys_rw_content_t; | ||
| type httpd_sys_content_t; | ||
| type public_content_rw_t; | ||
| } | ||
|
|
||
| type rudder_relayd_t; | ||
| type rudder_relayd_exec_t; | ||
|
|
||
| type rudder_relayd_port_t; | ||
| corenet_port(rudder_relayd_port_t) | ||
| allow rudder_relayd_t rudder_relayd_port_t:tcp_socket name_bind; | ||
|
|
||
| # Macro for standard service program | ||
| init_daemon_domain(rudder_relayd_t, rudder_relayd_exec_t) | ||
|
|
||
| # + droit d'exécuter le binaire sudo ? | ||
|
|
||
| # Allow access to files shared with apache httpd | ||
| miscfiles_manage_public_files(rudder_relayd_t) | ||
|
|
||
| # TODO out and in tcp port | ||
| # Allow to listen on tcp | ||
| allow rudder_relayd_t self:tcp_socket { accept listen }; | ||
|
|
||
| type rudder_relayd_var_lib_t; | ||
| files_config_file(rudder_relayd_var_lib_t) | ||
|
|
||
| type rudder_relayd_etc_t; | ||
| files_config_file(rudder_relayd_etc_t) | ||
|
|
||
| manage_dirs_pattern(rudder_relayd_t, public_content_rw_t, public_content_rw_t) | ||
| manage_files_pattern(rudder_relayd_t, public_content_rw_t, public_content_rw_t) |