diff options
| author | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-06-05 09:02:09 +0000 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-06-05 09:02:28 +0000 |
| commit | 4b22cd9f2a7fa0a740a0defa2f3b2cdb62dc1cd3 (patch) | |
| tree | ff5b962595ef175ecb932d3c693e0e7752651cb4 | |
| parent | 37a27645fc3535ae31d46a001b214eba80e9cbf2 (diff) | |
Update upload_cgi and add cgi-nfs for pkgs
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | roles/distgit/files/cgi-nfs.pp | bin | 0 -> 62147 bytes | |||
| -rw-r--r-- | roles/distgit/files/cgi-nfs.te | 23 | ||||
| -rw-r--r-- | roles/distgit/files/upload_cgi.pp | bin | 65065 -> 64965 bytes | |||
| -rw-r--r-- | roles/distgit/files/upload_cgi.te | 9 | ||||
| -rw-r--r-- | roles/distgit/tasks/main.yml | 7 |
5 files changed, 33 insertions, 6 deletions
diff --git a/roles/distgit/files/cgi-nfs.pp b/roles/distgit/files/cgi-nfs.pp Binary files differnew file mode 100644 index 000000000..a0df2cccc --- /dev/null +++ b/roles/distgit/files/cgi-nfs.pp diff --git a/roles/distgit/files/cgi-nfs.te b/roles/distgit/files/cgi-nfs.te new file mode 100644 index 000000000..5ba0dfe4f --- /dev/null +++ b/roles/distgit/files/cgi-nfs.te @@ -0,0 +1,23 @@ +policy_module(nfscgi, 1.0.0) + +require { + type httpd_git_script_t; + type git_script_t; + type git_system_t; + type httpd_git_content_t; + type nfs_t; + class dir { create write search add_name remove_name getattr open }; + class file { create write rename setattr read open }; +} + + +allow git_system_t httpd_git_content_t:dir { getattr read open }; +allow git_system_t httpd_git_content_t:file { read open getattr }; + + + +allow httpd_git_script_t nfs_t:dir { write }; +allow git_system_t httpd_git_content_t:dir { search }; +allow httpd_git_script_t nfs_t:dir { create write add_name remove_name }; +allow httpd_git_script_t nfs_t:file { create write rename setattr }; +allow git_script_t nfs_t:file { unlink link }; diff --git a/roles/distgit/files/upload_cgi.pp b/roles/distgit/files/upload_cgi.pp Binary files differindex cec221582..9091f9266 100644 --- a/roles/distgit/files/upload_cgi.pp +++ b/roles/distgit/files/upload_cgi.pp diff --git a/roles/distgit/files/upload_cgi.te b/roles/distgit/files/upload_cgi.te index ea41d8063..f9ba1f339 100644 --- a/roles/distgit/files/upload_cgi.te +++ b/roles/distgit/files/upload_cgi.te @@ -1,11 +1,11 @@ -policy_module(upload_cgi,1.1.0) +policy_module(upload_cgi,1.2.0) require { type httpd_git_script_t; type git_script_tmp_t; - type git_script_t; - type nfs_t; + type git_script_t; + type nfs_t; } files_tmp_file(git_script_tmp_t) @@ -27,6 +27,3 @@ term_getattr_all_ptys(httpd_git_script_t); term_getattr_all_ttys(httpd_git_script_t); # Do not audit attempts to get the attributes of generic pty devices. term_dontaudit_getattr_generic_ptys(httpd_git_script_t); - -# Allow upload.cgi to make link on nfs -allow git_script_t nfs_t:file { unlink link }; diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index 8a213060a..bc5b6fc5e 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -328,3 +328,10 @@ command: semodule -i /usr/local/share/selinux/upload_cgi.pp when: selinux_module|changed +- name: copy over our custom nfs selinux policy + copy: src=cgi-nfs.pp dest=/usr/local/share/selinux/cgi-nfs.pp + register: nfs_selinux_module + +- name: install our custom nfs selinux policy + command: semodule -i /usr/local/share/selinux/cgi-nfs.pp + when: nfs_selinux_module|changed |