/
os-glance.te
55 lines (45 loc) · 1.36 KB
/
os-glance.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
policy_module(os-glance,0.1)
gen_require(`
type glance_api_t;
type glance_registry_t;
type glance_var_lib_t;
type glance_tmp_t;
type var_lib_t;
type nfs_t;
class dir { write getattr remove_name create add_name };
class file { write getattr unlink open create };
class lnk_file read;
type sudo_exec_t;
class file { execute };
')
# Bugzilla 1362609
corenet_tcp_connect_memcache_port(glance_registry_t)
# Bugzilla 1219406
allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name };
allow glance_api_t nfs_t:file { write getattr unlink open create };
allow glance_registry_t nfs_t:dir search;
# Bugzilla 1210271
allow glance_registry_t glance_var_lib_t:lnk_file read;
allow glance_api_t glance_var_lib_t:lnk_file read;
allow glance_api_t var_lib_t:lnk_file read;
allow glance_registry_t var_lib_t:lnk_file read;
# Bugzilla 1145802
allow glance_api_t nfs_t:dir getattr;
# Bugzilla 1306525
corenet_tcp_connect_commplex_main_port(glance_registry_t)
# Bugzilla 1313617
fs_getattr_tmpfs(glance_api_t)
# Bugzilla 1395240
manage_sock_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
allow glance_api_t sudo_exec_t:file { execute };
optional_policy(`
gen_require(`
type elasticsearch_port_t;
')
# bugzilla 1192644
allow glance_api_t elasticsearch_port_t:tcp_socket name_bind;
')
# Bug 1430402
optional_policy(`
mysql_read_config(glance_api_t)
')