Skip to content
Permalink
Browse files

Merge pull request #35 from jpichon/bz1738134

Sensu: Allow containers to connect to systemd sockets
  • Loading branch information...
jpichon committed Aug 13, 2019
2 parents 6504b81 + 66e8a6f commit 72046d32b2454cd1465c979be37aa0e1787c81e4
Showing with 14 additions and 1 deletion.
  1. +1 −1 Makefile
  2. +11 −0 os-sensu.te
  3. +2 −0 tests/bz1738134
@@ -1,4 +1,4 @@
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu
MODULES?=${TARGETS:=.pp.bz2}
DATADIR?=/usr/share
LOCALDIR?=/usr/share/openstack-selinux/master
@@ -0,0 +1,11 @@
policy_module(os-sensu,0.1)

gen_require(`
type container_t;
type init_t;
type system_dbusd_t;
')

# Bugzilla 1738134
allow container_t init_t:unix_stream_socket connectto;
allow container_t system_dbusd_t:unix_stream_socket connectto;
@@ -0,0 +1,2 @@
type=AVC msg=audit(1565094042.901:130455): avc: denied { connectto } for pid=812858 comm="systemctl" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:container_t:s0:c400,c976 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1565098666.014:137948): avc: denied { connectto } for pid=219615 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:container_t:s0:c104,c864 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1

0 comments on commit 72046d3

Please sign in to comment.
You can’t perform that action at this time.