aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-03-06 23:19:18 +0000
committerStefano Brivio <sbrivio@redhat.com>2023-03-09 00:36:08 +0100
commitd361fe6e809bdf3539d764cfa5058f46ce51bcbf (patch)
tree0283a21b5160dd2d9fdcca35585460c7043aa632
parentde9b0cb5fee2ea00ed7e7877ef9be8c446bca134 (diff)
downloadpasst-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar.gz
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar.bz2
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar.lz
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar.xz
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.tar.zst
passt-d361fe6e809bdf3539d764cfa5058f46ce51bcbf.zip
contrib/selinux: Let interface users set paths for log, PID, socket files
Even libvirt itself will configure passt to write log, PID and socket files to different locations depending on whether the domain is started as root (/var/log/libvirt/...) or as a regular user (/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the latter. Create interfaces for log and PID files, so that callers can specify different file contexts for those, and modify the interface for the UNIX socket file to allow different paths as well. Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Tested-by: Laine Stump <laine@redhat.com> Reviewed-by: Laine Stump <laine@redhat.com>
-rw-r--r--contrib/selinux/passt.if26
1 files changed, 25 insertions, 1 deletions
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 893395b..6a6105c 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`