You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2022/08/03 13:30:32 UTC
[airavata] branch master updated: AIRAVATA-3609 Additional SELinux updates for tusd role
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata.git
The following commit(s) were added to refs/heads/master by this push:
new 558d81bd43 AIRAVATA-3609 Additional SELinux updates for tusd role
558d81bd43 is described below
commit 558d81bd43e4ac5e234b37357b33a8961ee615ce
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Wed Aug 3 09:30:19 2022 -0400
AIRAVATA-3609 Additional SELinux updates for tusd role
---
dev-tools/ansible/roles/tusd/files/my-tusd.te | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/dev-tools/ansible/roles/tusd/files/my-tusd.te b/dev-tools/ansible/roles/tusd/files/my-tusd.te
index 1c2cdbefd2..a593085b1b 100644
--- a/dev-tools/ansible/roles/tusd/files/my-tusd.te
+++ b/dev-tools/ansible/roles/tusd/files/my-tusd.te
@@ -20,13 +20,19 @@
module my-tusd 1.0;
require {
- type init_t;
type user_home_t;
- class file { execute execute_no_trans open read };
+ type init_t;
+ type httpd_sys_rw_content_t;
+ class file { append create execute execute_no_trans link map open read unlink write };
+ class dir { add_name remove_name };
}
#============= init_t ==============
-allow init_t user_home_t:file execute_no_trans;
+allow init_t httpd_sys_rw_content_t:dir { add_name remove_name };
+allow init_t httpd_sys_rw_content_t:file { append create link open read unlink write };
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow init_t user_home_t:file map;
#!!!! This avc is allowed in the current policy
-allow init_t user_home_t:file { execute open read };
+allow init_t user_home_t:file { execute execute_no_trans open read };