[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Thu, 11 Feb 2016 19:52:48 -0800

commit:     9ce367ee6624a28ea34fc54f71f5490aef71dccf
Author:     Grant Ridder <shortdudey123 <AT> gmail <DOT> com>
AuthorDate: Mon Feb  1 18:42:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 02:54:52 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ce367ee


Add read/write perms for redis-sentinel

Fixes
```
type=AVC msg=audit(1454110519.451:77): avc:  denied  { read } for  pid=2863 
comm="redis-sentinel" name="redis-sentinel.conf" dev="dm-0" ino=69275142 
scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 
tclass=file
type=AVC msg=audit(1454110519.451:77): avc:  denied  { open } for  pid=2863 
comm="redis-sentinel" path="/etc/redis-sentinel.conf" dev="dm-0" ino=69275142 
scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 
tclass=file
type=AVC msg=audit(1454110519.451:78): avc:  denied  { getattr } for  pid=2863 
comm="redis-sentinel" path="/etc/redis-sentinel.conf" dev="dm-0" ino=69275142 
scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 
tclass=file
type=AVC msg=audit(1454110519.457:80): avc:  denied  { write } for  pid=2863 
comm="redis-sentinel" name="redis-sentinel.conf" dev="dm-0" ino=69275142 
scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 
tclass=file
```

 policy/modules/contrib/redis.fc | 2 ++
 policy/modules/contrib/redis.if | 5 ++++-
 policy/modules/contrib/redis.te | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index e240ac9..9f9c0c4 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/redis       --      
gen_context(system_u:object_r:redis_initrc_exec_t,s0)
 
+/etc/redis.*\.conf     --      gen_context(system_u:object_r:redis_conf_t,s0)
+
 /usr/sbin/redis-server --      gen_context(system_u:object_r:redis_exec_t,s0)
 
 /var/lib/redis(/.*)?   gen_context(system_u:object_r:redis_var_lib_t,s0)

diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index 6d86dbf..276309a 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -20,7 +20,7 @@
 interface(`redis_admin',`
        gen_require(`
                type redis_t, redis_initrc_exec_t, redis_var_lib_t;
-               type redis_log_t, redis_var_run_t;
+               type redis_log_t, redis_var_run_t, redis_conf_t;
        ')
 
        allow $1 redis_t:process { ptrace signal_perms };
@@ -28,6 +28,9 @@ interface(`redis_admin',`
 
        init_startstop_service($1, $2, redis_t, redis_initrc_exec_t)
 
+       files_search_etc($1)
+       admin_pattern($1, redis_conf_t)
+
        logging_search_logs($1)
        admin_pattern($1, redis_log_t)
 

diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index c116691..83a78ce 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
 type redis_var_run_t;
 files_pid_file(redis_var_run_t)
 
+type redis_conf_t;
+files_config_file(redis_conf_t)
+
 ########################################
 #
 # Local policy
@@ -31,6 +34,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms;
 allow redis_t self:unix_stream_socket create_stream_socket_perms;
 allow redis_t self:tcp_socket create_stream_socket_perms;
 
+allow redis_t redis_conf_t:file rw_file_perms;
+
 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
 manage_files_pattern(redis_t, redis_log_t, redis_log_t)
 manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to