[airavata] branch master updated: AIRAVATA-3609 Additional SELinux updates for tusd role

[ma...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata.git


The following commit(s) were added to refs/heads/master by this push:
     new 558d81bd43 AIRAVATA-3609 Additional SELinux updates for tusd role
558d81bd43 is described below

commit 558d81bd43e4ac5e234b37357b33a8961ee615ce
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Wed Aug 3 09:30:19 2022 -0400

    AIRAVATA-3609 Additional SELinux updates for tusd role
---
 dev-tools/ansible/roles/tusd/files/my-tusd.te | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/dev-tools/ansible/roles/tusd/files/my-tusd.te b/dev-tools/ansible/roles/tusd/files/my-tusd.te
index 1c2cdbefd2..a593085b1b 100644
--- a/dev-tools/ansible/roles/tusd/files/my-tusd.te
+++ b/dev-tools/ansible/roles/tusd/files/my-tusd.te
@@ -20,13 +20,19 @@
 module my-tusd 1.0;
 
 require {
-        type init_t;
         type user_home_t;
-        class file { execute execute_no_trans open read };
+        type init_t;
+        type httpd_sys_rw_content_t;
+        class file { append create execute execute_no_trans link map open read unlink write };
+        class dir { add_name remove_name };
 }
 
 #============= init_t ==============
-allow init_t user_home_t:file execute_no_trans;
+allow init_t httpd_sys_rw_content_t:dir { add_name remove_name };
+allow init_t httpd_sys_rw_content_t:file { append create link open read unlink write };
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow init_t user_home_t:file map;
 
 #!!!! This avc is allowed in the current policy
-allow init_t user_home_t:file { execute open read };
+allow init_t user_home_t:file { execute execute_no_trans open read };