particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/selinux/osbuild.te
Christian Kellner 65e1b35102 selinux: Allow unconfined_service_t → osbuild_t 
When osbuild is invoked via the osbuild composer worker, the latter
is run in the unconfined_service_t domain, so add a rule that
allows that transition.
2020-06-10 01:35:05 +02:00

66 lines
1.4 KiB
Text
Raw Blame History

policy_module(osbuild, 1.0.0)
########################################
#
# Declarations
#
attribute_role osbuild_roles;
roleattribute system_r osbuild_roles;
type osbuild_t;
type osbuild_exec_t;
application_domain(osbuild_t, osbuild_exec_t)
role osbuild_roles types osbuild_t;
########################################
#
# osbuild local policy
#
allow osbuild_t self:fifo_file manage_fifo_file_perms;
allow osbuild_t self:unix_stream_socket create_stream_socket_perms;
# #####################################
# Customization
#
# make an osbuild_t unconfined domain
unconfined_domain(osbuild_t)
# execute setfiles in the setfiles_mac domain
# when in the osbuild_t domain
seutil_domtrans_setfiles_mac(osbuild_t)
# Allow sysadm and unconfined to run osbuild
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
')
osbuild_run(sysadm_t, sysadm_r)
')
optional_policy(`
gen_require(`
type unconfined_t;
role unconfined_r;
')
osbuild_run(unconfined_t, unconfined_r)
')
optional_policy(`
gen_require(`
type unconfined_service_t;
role system_r;
')
osbuild_run(unconfined_service_t, system_r)
')
# allow transitioning to install_t (for ostree)
optional_policy(`
anaconda_domtrans_install(osbuild_t)
')
Reference in a new issue View git blame Copy permalink