diff options
| author |   Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2023-02-08 18:57:16 +0000 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:13 -0500 |
| commit | ea62325b1abe7fffe396517894f87cfa1c97d602 (patch) | |
| tree | 23c81667ec4b5d68c2f36dd1468e0d85ad270c18 | |
| parent | files: Handle symlinks for /media and /srv. (diff) | |
| download | hardened-refpolicy-ea62325b1abe7fffe396517894f87cfa1c97d602.tar.gz hardened-refpolicy-ea62325b1abe7fffe396517894f87cfa1c97d602.tar.bz2 hardened-refpolicy-ea62325b1abe7fffe396517894f87cfa1c97d602.zip | |
cloudinit: Add support for installing RPMs and setting passwords.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/admin/cloudinit.if | 19 | ||||
| -rw-r--r-- | policy/modules/admin/cloudinit.te | 12 | ||||
| -rw-r--r-- | policy/modules/admin/rpm.te | 4 |
3 files changed, 35 insertions, 0 deletions
diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if index 4469d7b1..604f56dc 100644 --- a/policy/modules/admin/cloudinit.if +++ b/policy/modules/admin/cloudinit.if @@ -2,6 +2,25 @@ ######################################## ## <summary> +## Read and write inherited cloud-init pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudinit_rw_inherited_pipes',` + gen_require(` + type cloud_init_t; + ') + + allow $1 cloud_init_t:fifo_file rw_inherited_fifo_file_perms; + allow $1 cloud_init_t:fd use; +') + +######################################## +## <summary> ## Create cloud-init runtime directory. ## </summary> ## <param name="domain"> diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te index 0a82d443..37789194 100644 --- a/policy/modules/admin/cloudinit.te +++ b/policy/modules/admin/cloudinit.te @@ -1,5 +1,9 @@ policy_module(cloudinit) +gen_require(` + class passwd passwd; +') + ######################################## # # Declarations @@ -28,6 +32,7 @@ allow cloud_init_t self:capability { chown dac_override dac_read_search fowner f dontaudit cloud_init_t self:capability { net_admin sys_tty_config }; allow cloud_init_t self:fifo_file rw_fifo_file_perms; allow cloud_init_t self:unix_dgram_socket create_socket_perms; +allow cloud_init_t self:passwd passwd; allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr }; logging_log_filetrans(cloud_init_t, cloud_init_log_t, file) @@ -37,6 +42,7 @@ manage_lnk_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_ manage_dirs_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t) files_runtime_filetrans(cloud_init_t, cloud_init_runtime_t, { dir file lnk_file }) +can_exec(cloud_init_t, cloud_init_state_t) manage_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t) @@ -98,10 +104,16 @@ sysnet_domtrans_ifconfig(cloud_init_t) term_write_console(cloud_init_t) +udev_read_runtime_files(cloud_init_t) + usermanage_domtrans_useradd(cloud_init_t) usermanage_domtrans_groupadd(cloud_init_t) usermanage_domtrans_passwd(cloud_init_t) optional_policy(` + rpm_domtrans(cloud_init_t) +') + +optional_policy(` systemd_dbus_chat_hostnamed(cloud_init_t) ') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 1eb82cda..8223fd54 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -375,6 +375,10 @@ optional_policy(` ') optional_policy(` + cloudinit_rw_inherited_pipes(rpm_script_t) +') + +optional_policy(` dbus_system_bus_client(rpm_script_t) optional_policy(` |