Add dev_read_watchdog

Need interfaces to kill svirt and signal it
Add port for matahari

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 6795999a54ecaed78492d91f59891c638835fee5..0e86190e37dada6071fa8d7ed88a0425a0c5c387 100644 (file)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -162,6 +162,7 @@ network_port(luci, tcp,8084,s0)
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, tcp,49000,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9814020a921b4d06d5b0c3748ec009f62662935a..0d86b0f2a0e539b1ee9a9972260bb558bd421540 100644 (file)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4584,6 +4584,24 @@ interface(`dev_rwx_vmware',`
        allow $1 vmware_device_t:chr_file execute;
 ')
 
+########################################
+## <summary>
+##     Read to watchdog devices.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_read_watchdog',`
+       gen_require(`
+               type device_t, watchdog_device_t;
+       ')
+
+       read_chr_files_pattern($1, device_t, watchdog_device_t)
+')
+
 ########################################
 ## <summary>
 ##     Write to watchdog devices.

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d060ae4546548f023289b8d7b76ae576d693a4a2..92e24a927785150c0638597549d2287aab692863 100644 (file)
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -367,6 +367,7 @@ ifdef(`TODO',`
 # ssh_keygen_t is the type of the ssh-keygen program when run at install time
 # and by sysadm_t
 
+allow ssh_keygen_t self:capability dac_override;
 dontaudit ssh_keygen_t self:capability sys_tty_config;
 allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;

diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 5e2f2644bf7e65f933dbb5e6fb4e99c414b7b9c8..508a48007d136b79c3e22b4d9b057d88d357b1a5 100644 (file)
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -637,3 +637,39 @@ interface(`virt_dontaudit_write_pipes',`
 
        dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 ')
+
+########################################
+## <summary>
+##     Send a sigkill to virtual machines
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_kill_svirt',`
+       gen_require(`
+               attribute virt_domain;
+       ')
+
+       allow $1 virt_domain:process sigkill;
+')
+
+########################################
+## <summary>
+##     Send a signal to virtual machines
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`virt_signal_svirt',`
+       gen_require(`
+               attribute virt_domain;
+       ')
+
+       allow $1 virt_domain:process signal;
+')