-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-neutron.te
138 lines (111 loc) · 3.41 KB
/
os-neutron.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
policy_module(os-neutron, 0.1)
gen_require(`
type neutron_t;
type neutron_var_lib_t;
type neutron_tmp_t;
type neutron_exec_t;
type haproxy_exec_t;
type haproxy_t;
type httpd_config_t;
type ipsec_mgmt_exec_t;
type http_port_t;
type dnsmasq_t;
type proc_t;
type radvd_exec_t;
type modules_object_t;
type ipsec_key_file_t;
type keepalived_t;
type logrotate_t;
type nsfs_t;
type fs_t;
class capability setpcap;
class capability dac_override;
class key_socket { write read create };
class netlink_xfrm_socket { bind create nlmsg_write };
class process signal;
class netlink_socket { bind create getattr };
class file { read ioctl getattr execute open execute_no_trans };
class tcp_socket name_bind;
class unix_stream_socket connectto;
class dir search;
class netlink_selinux_socket create;
')
# Bugzilla 1357961
corenet_tcp_bind_openflow_port(neutron_t)
# Bugzilla 1180679
allow neutron_t keepalived_t:process signal;
# Bugzilla 1168526 & 1176830
allow neutron_t radvd_exec_t:file { read open execute execute_no_trans };
fs_getattr_all_fs(neutron_t)
# Bugzilla 1180679
neutron_domtrans(keepalived_t)
# Bugzilla 1169859 & 1171460 & 1171458
can_exec(neutron_t,neutron_var_lib_t)
can_exec(neutron_t,neutron_exec_t)
keepalived_domtrans(neutron_t)
allow neutron_t self:netlink_socket { bind create getattr };
# Bugzilla 1153656
allow haproxy_t proc_t:file read;
# Bugzilla 1135510
allow neutron_t ipsec_mgmt_exec_t:file exec_file_perms;
# Bugzilla 1144199
allow neutron_t http_port_t:tcp_socket name_bind;
# Bugzilla 1230900
manage_sock_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
# Bugzilla 1245846
allow neutron_t ipsec_key_file_t:file { read ioctl open getattr };
allow neutron_t modules_object_t:file getattr;
allow neutron_t self:capability { setpcap };
allow neutron_t self:key_socket { write read create };
allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write };
ipsec_exec_mgmt(neutron_t)
ipsec_manage_key_file(neutron_t)
ipsec_read_config(neutron_t)
seutil_exec_setfiles(neutron_t)
# Bugzilla 1850973
gen_tunable(os_neutron_dac_override, false)
tunable_policy(`os_neutron_dac_override',`
allow neutron_t self:capability { dac_override };
')
# Bugzilla 1280083
allow neutron_t httpd_config_t:dir search;
# Bugzilla 1284268
corecmd_getattr_all_executables(neutron_t)
# Bugzilla 1294420
allow neutron_t radvd_exec_t:file getattr;
optional_policy(`
require {
type neutron_t;
type haproxy_t;
type haproxy_exec_t;
type proc_t;
type neutron_var_lib_t;
}
domtrans_pattern(neutron_t, haproxy_exec_t, haproxy_t)
# Bugzilla 1114254
manage_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t)
manage_sock_files_pattern(haproxy_t, neutron_var_lib_t, neutron_var_lib_t)
# Bugzilla 1115724 and 1962802
allow neutron_t haproxy_t:process { sigkill signal };
allow neutron_t proc_t:filesystem unmount;
')
# Bugzilla 1249685 (execmem)
gen_tunable(os_neutron_use_execmem, false)
tunable_policy(`os_neutron_use_execmem',`
allow neutron_t self:process execmem;
')
# Bugzilla 1419418 and 2053852
allow neutron_t nsfs_t:file { open read getattr };
# Bugzilla 1893132
allow neutron_t fs_t:filesystem unmount;
# Bugzilla 2053852
allow neutron_t nsfs_t:filesystem unmount;
# Bugzilla 1547197
allow neutron_t self:process setpgid;
# Bugzilla 1581729
corenet_udp_bind_dhcpc_port(neutron_t)
# Bugzilla 1676954
auth_use_pam(neutron_t)
init_rw_utmp(neutron_t)
# Bugzilla 2254886
fs_manage_tmpfs_files(neutron_t)