diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-03-10 17:00:31 +0000 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-03-10 20:01:41 +0100 |
commit | 93105ea06619d4c199f8140f4b75ae359757dc6d (patch) | |
tree | 77de1a7e1600ff452415fe539be3285e1b990dd1 | |
parent | dcdc50fc2251339d6e929f708fad114e61b60627 (diff) | |
download | passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar.gz passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar.bz2 passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar.lz passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar.xz passt-93105ea06619d4c199f8140f4b75ae359757dc6d.tar.zst passt-93105ea06619d4c199f8140f4b75ae359757dc6d.zip |
contrib/selinux: Split interfaces into smaller bits
...to fit accepted Fedora practices.
Link: https://github.com/fedora-selinux/selinux-policy/pull/1613
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r-- | contrib/selinux/passt.if | 71 |
1 files changed, 61 insertions, 10 deletions
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if index 3e37c5b..f7560a7 100644 --- a/contrib/selinux/passt.if +++ b/contrib/selinux/passt.if @@ -17,37 +17,88 @@ interface(`passt_domtrans',` domtrans_pattern($1, passt_exec_t, passt_t) ') -interface(`passt_socket',` +interface(`passt_socket_dir',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:dir add_entry_dir_perms; +') + +interface(`passt_socket_create',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:sock_file create; +') + +interface(`passt_socket_use',` gen_require(` type passt_t; ') - allow $1 $2:sock_file write; allow $1 passt_t:unix_stream_socket connectto; + allow $1 $2:sock_file { read write }; + allow passt_t $2:sock_file { read write }; +') + +interface(`passt_socket_delete',` + gen_require(` + type passt_t; + ') + + allow $1 $2:sock_file unlink; +') + +interface(`passt_logfile_dir',` + gen_require(` + type passt_t; + ') - allow passt_t $2:sock_file { create read write unlink }; + allow passt_t $1:dir add_entry_dir_perms; ') -interface(`passt_logfile',` +interface(`passt_logfile_use',` gen_require(` type passt_t; ') logging_log_file($1); - allow passt_t $1:dir { search write add_name }; allow passt_t $1:file { create open read write }; ') -interface(`passt_pidfile',` +interface(`passt_pidfile_dir',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:dir add_entry_dir_perms; +') + +interface(`passt_pidfile_write',` + gen_require(` + type passt_t; + ') + + files_pid_file($1); + allow passt_t $1:file { create open write }; +') + +interface(`passt_pidfile_read',` gen_require(` type passt_t; ') - allow $1 $2:file { open read unlink }; + allow $1 $2:file { open read }; +') + +interface(`passt_pidfile_delete',` + gen_require(` + type passt_t; + ') - files_pid_file($2); - allow passt_t $2:dir { search write add_name }; - allow passt_t $2:file { create open write }; + allow $1 $2:file unlink; ') interface(`passt_kill',` |