Skip to content

Commit

Permalink
Fix policy style
Browse files Browse the repository at this point in the history 
Fix policy according to the Reference Policy Style Guideline
https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide

Alphabetically sort rules and permissios.

Macros: fstools_domtrans, mount_domtrans,
systemd_config_systemd_services, systemd_signal_passwd_agent,
move to optional policy blocks.

Remove duplicated macros.

Remove whitespaces.

Add '\' before .py in fc file.

Add local policy for ssh_keygen to optional policy block
  • Loading branch information
@5umm3r15
5umm3r15 committed May 5, 2021
1 parent 0ca18b2 commit 7ad6816
Show file tree
Hide file tree
Showing 3 changed files with 124 additions and 130 deletions.
15 changes: 7 additions & 8 deletions glusterd.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,20 @@
/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)

/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0)


/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/libexec/glusterfs/gfevents/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/libexec/glusterfs/peer_eventsapi\.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/libexec/glusterfs/events/glustereventsd\.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)
/usr/libexec/glusterfs/gfevents/glustereventsd\.py -- gen_context(system_u:object_r:glusterd_exec_t,s0)

/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)

/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)

/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)

/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
126 changes: 63 additions & 63 deletions glusterd.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,10 +90,10 @@ interface(`glusterd_append_log',`
## </param>
#
interface(`glusterd_filetrans_named_pid',`
gen_require(`
type glusterd_var_run_t;
')
files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
gen_require(`
type glusterd_var_run_t;
')
files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket")
')

########################################
Expand Down Expand Up @@ -139,118 +139,118 @@ interface(`glusterd_manage_log',`

######################################
## <summary>
## Allow the specified domain to execute gluster's lib files.
## Allow the specified domain to execute gluster's lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gluster_execute_lib',`
gen_require(`
type glusterd_var_lib_t;
')
gen_require(`
type glusterd_var_lib_t;
')

files_list_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
can_exec($1, glusterd_var_lib_t)
files_list_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
can_exec($1, glusterd_var_lib_t)
')

######################################
## <summary>
## Read glusterd's config files.
## Read glusterd's config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterd_read_conf',`
gen_require(`
type glusterd_conf_t;
')
gen_require(`
type glusterd_conf_t;
')

files_search_etc($1)
read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
files_search_etc($1)
read_files_pattern($1, glusterd_conf_t, glusterd_conf_t)
')

######################################
## <summary>
## Dontaudit Read /var/lib/glusterd files.
## Dontaudit Read /var/lib/glusterd files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterd_dontaudit_read_lib_dirs',`
gen_require(`
type glusterd_var_lib_t;
')
gen_require(`
type glusterd_var_lib_t;
')

dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
')

######################################
## <summary>
## Read and write /var/lib/glusterd files.
## Read and write /var/lib/glusterd files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterd_rw_lib',`
gen_require(`
type glusterd_var_lib_t;
')
gen_require(`
type glusterd_var_lib_t;
')

files_search_var_lib($1)
rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
files_search_var_lib($1)
rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
')

######################################
## <summary>
## Read /var/lib/glusterd files.
## Read /var/lib/glusterd files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterd_read_lib_files',`
gen_require(`
type glusterd_var_lib_t;
')
gen_require(`
type glusterd_var_lib_t;
')

files_search_var_lib($1)
files_search_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
')

######################################
## <summary>
## Read and write /var/lib/glusterd files.
## Read and write /var/lib/glusterd files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`glusterd_manage_lib_files',`
gen_require(`
type glusterd_var_lib_t;
')
gen_require(`
type glusterd_var_lib_t;
')

files_search_var_lib($1)
files_search_var_lib($1)
allow $1 glusterd_var_lib_t:dir search_dir_perms;
manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t)
')

######################################
Expand Down Expand Up @@ -282,9 +282,9 @@ interface(`glusterd_admin',`
allow $1 glusterd_t:process { signal_perms };
ps_process_pattern($1, glusterd_t)

tunable_policy(`deny_ptrace',`',`
allow $1 glusterd_t:process ptrace;
')
tunable_policy(`deny_ptrace',`',`
allow $1 glusterd_t:process ptrace;
')

glusterd_initrc_domtrans($1)
domain_system_change_exemption($1)
Expand Down Expand Up @@ -321,8 +321,8 @@ interface(`glusterd_admin',`
#
ifndef(`rsync_rw_unix_stream_sockets',`
interface(`rsync_rw_unix_stream_sockets',`
gen_require(`
type rsync_t;
gen_require(`
type rsync_t;
')

allow $1 rsync_t:unix_stream_socket rw_socket_perms;
Expand Down
Loading

0 comments on commit 7ad6816

Please sign in to comment.