-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-httpd.te
55 lines (49 loc) · 1.67 KB
/
os-httpd.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
policy_module(os-httpd,0.1)
gen_require(`
type httpd_t;
type var_log_t;
type nova_log_t;
type cinder_log_t;
type glance_log_t;
type neutron_log_t;
type keystone_log_t;
type nova_api_t;
type keystone_var_lib_t;
type container_file_t;
')
#
# XXX
# RH OpenStack Platform services are not all WSGI; some are
# still using eventlet or another WSGI server. Furthermore,
# not all daemons have log files which are covered in base
# SELinux policy. For now, with this boolean, allow access
# for httpd to use all known OpenStack log types and
# var_log_t until these are all more correctly covered.
#
# Bugzilla #1437684
# (... and many others ...)
#
gen_tunable(os_httpd_wsgi, false)
tunable_policy(`os_httpd_wsgi',`
# OpenStack services which have not gotten their own log type yet
manage_files_pattern(httpd_t, var_log_t, var_log_t)
# OpenStack services which have an assigned log type
manage_files_pattern(httpd_t, nova_log_t, nova_log_t)
manage_files_pattern(httpd_t, cinder_log_t, cinder_log_t)
manage_files_pattern(httpd_t, glance_log_t, glance_log_t)
manage_files_pattern(httpd_t, neutron_log_t, neutron_log_t)
manage_files_pattern(httpd_t, keystone_log_t, keystone_log_t)
# RHEL 7.4 keystone change
# Bugzilla #1478176
# Bugzilla #1478177
allow httpd_t keystone_var_lib_t:file read_file_perms;
# Strange issue where nis_enabled disappears
# Bugzilla #1315457
# Bugzilla #1489863
corenet_tcp_bind_all_ports(httpd_t)
# Allow read-only access to container_file_t
# This is due to image-server, and images being pulled via mistral container
# during an update/upgrade
read_files_pattern(httpd_t, container_file_t, container_file_t)
allow httpd_t container_file_t:dir read;
')