-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-keepalived.te
69 lines (59 loc) · 2.11 KB
/
os-keepalived.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
policy_module(os-keepalived,0.1)
gen_require(`
type keepalived_t;
type neutron_var_lib_t;
type var_log_t;
type cloud_var_lib_t;
type var_lib_t;
type init_var_lib_t;
type neutron_t;
type sysfs_t;
type NetworkManager_t;
type systemd_systemctl_exec_t;
type ifconfig_exec_t;
type ifconfig_t;
class filesystem { setattr getattr };
class process { signull sigkill setpgid setcap };
class capability { net_admin net_raw kill dac_override sys_admin };
class file { execute read create ioctl unlink execute_no_trans write getattr open entrypoint };
')
# Bugzilla 1351336
allow keepalived_t NetworkManager_t:process signull;
# Some files are being created on the fly.
# Therefore, we will have to allow these rules.
# Bugzilla 1180679 and Bugzilla 1180881
neutron_manage_lib_dirs(keepalived_t)
sysnet_exec_ifconfig(keepalived_t)
# Bugzilla 1969325 for setattr below.
allow keepalived_t neutron_var_lib_t:file { execute read create setattr getattr execute_no_trans write ioctl open };
allow keepalived_t cloud_var_lib_t:file { read getattr open };
allow keepalived_t init_var_lib_t:file { read getattr open };
allow keepalived_t var_lib_t:file { read getattr open };
allow keepalived_t var_log_t:file open;
# bz1434826 - sys_admin
allow keepalived_t self:capability { sys_admin };
allow keepalived_t neutron_t:process sigkill;
gen_tunable(os_keepalived_dac_override, false)
tunable_policy(`os_keepalived_dac_override',`
allow keepalived_t self:capability dac_override;
')
# Bugzilla 1206148
allow keepalived_t sysfs_t:filesystem getattr;
allow keepalived_t neutron_var_lib_t:file unlink;
# Bugzilla 1278430
allow keepalived_t systemd_systemctl_exec_t:file getattr;
# Bugzilla 1243039
# Allow keepalived to monitor haproxy via 'systemctl status haproxy.service'
# by default
optional_policy(`
systemd_systemctl_domain(keepalived)
unconfined_domain(keepalived_systemctl_t)
')
# Bugzilla 1469823
allow keepalived_t self:process setpgid;
# Bugzilla #1434826
allow keepalived_t ifconfig_exec_t:file entrypoint;
sysnet_domtrans_ifconfig(keepalived_t)
# Bugzilla 1789068
netutils_exec_ping(keepalived_t)
allow keepalived_t self:process setcap;