Skip to content
Permalink
Browse files

Merge pull request #34 from jpichon/bz1732578

Allow Barbican containers to read pki_common_t labels
  • Loading branch information...
lhh committed Aug 12, 2019
2 parents 06faac7 + 022ddee commit 4004d291d86e5b75be72a1e0e775e0ee3a410bda
Showing with 17 additions and 1 deletion.
  1. +1 −1 Makefile
  2. +10 −0 os-barbican.te
  3. +6 −0 tests/bz1732578
@@ -1,4 +1,4 @@
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican
MODULES?=${TARGETS:=.pp.bz2}
DATADIR?=/usr/share
LOCALDIR?=/usr/share/openstack-selinux/master
@@ -0,0 +1,10 @@
policy_module(os-barbican,0.1)

gen_require(`
type container_t;
type pki_common_t;
')

# Bugzilla 1732578
allow container_t pki_common_t:dir read;
exec_files_pattern(container_t, pki_common_t, pki_common_t);
@@ -0,0 +1,6 @@
type=AVC msg=audit(1563895304.208:14480): avc: denied { read } for pid=81224 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563895442.774:14719): avc: denied { read } for pid=94348 comm="httpd" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c111,c895 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0
type=AVC msg=audit(1563899396.472:17769): avc: denied { read } for pid=382136 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1
type=AVC msg=audit(1563899396.472:17769): avc: denied { open } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1
type=AVC msg=audit(1563899396.472:17770): avc: denied { execute } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1
type=AVC msg=audit(1563907351.675:23726): avc: denied { read } for pid=960024 comm="ls" name="nfast" dev="vda2" ino=33555398 scontext=system_u:system_r:container_t:s0:c353,c747 tcontext=system_u:object_r:pki_common_t:s0 tclass=dir permissive=0

0 comments on commit 4004d29

Please sign in to comment.
You can’t perform that action at this time.