Skip to content

Commit

Permalink
Switches SELinux netlink_route_socket to use a Refpol macro
Browse files Browse the repository at this point in the history 
The old statement whitelisted explicit permissions and was not
fully complete. It worked on most distributions but not all.
This Refpol version will use a superset which is maintained in
Refpol and is appropriate for use anywhere Refpol is available.

closes #1484
https://pulp.plan.io/issues/1484
  • Loading branch information
Brian Bouterse committed Feb 10, 2016
1 parent 5622613 commit 23143fc
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion server/selinux/server/pulp-celery.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ require {
# tcp_socket { shutdown } is needed for CentOS 6 `sudo service pulp_workers restart`
#

allow celery_t self:netlink_route_socket { bind create getattr nlmsg_read write read };
allow celery_t self:netlink_route_socket r_netlink_socket_perms;
allow celery_t self:process { signal signull };
allow celery_t self:udp_socket { ioctl getattr create connect write read };
allow celery_t self:unix_dgram_socket { create connect };
Expand Down

0 comments on commit 23143fc

Please sign in to comment.