From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 15 Nov 2011 18:34:20 +0000 (-0500)
Subject: Add interface to allow exec of mongod, add port definition for mongod port, 27017
X-Git-Tag: 000~112
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26c1acc36e885945fed28d11a4440e07bca4d4bc;p=people%2Fstevee%2Fselinux-policy.git

Add interface to allow exec of mongod, add port definition for mongod port, 27017
---

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 1541989c..9c48de6a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -189,6 +189,7 @@ network_port(mail, tcp,2000,s0, tcp,3905,s0)
 network_port(matahari, tcp,49000,s0, udp,49000,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(movaz_ssc, tcp,5252,s0)
 network_port(mpd, tcp,6600,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
index 917f8d4f..6451167c 100644
--- a/policy/modules/services/cloudform.if
+++ b/policy/modules/services/cloudform.if
@@ -19,5 +19,22 @@ template(`cloudform_domain_template',`
     type $1_t, cloudform_domain;
     type $1_exec_t;
     init_daemon_domain($1_t, $1_exec_t)
+')
+
+######################################
+## <summary>
+##	Execute mongod in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`cloudform_exec_mongod',`
+    gen_require(`
+	type mogod_exec_t;
+    ')
 
+    can_exec($1, mogod_exec_t)
 ')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
index 83fc37d2..4f0bd8d4 100644
--- a/policy/modules/services/cloudform.te
+++ b/policy/modules/services/cloudform.te
@@ -167,7 +167,7 @@ manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
 files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
 
 corenet_tcp_bind_generic_node(mongod_t)
-corenet_tcp_bind_generic_port(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
 
 files_read_usr_files(mongod_t)