Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # to use:
- # make -f /usr/share/selinux/devel/Makefile
- # semodule -i rhsmcertd_additions.pp
- module rhsmcertd_additions 1.0;
- require {
- type devlog_t;
- type cert_t;
- type shell_exec_t;
- type syslogd_t;
- type rhsmcertd_t;
- type dmidecode_t;
- type dmidecode_exec_t;
- type http_port_t;
- type sysfs_t;
- type etc_t;
- type memory_device_t;
- class process setsched;
- class capability { sys_rawio sys_nice };
- class chr_file { read open };
- class sock_file write;
- class tcp_socket name_connect;
- class unix_dgram_socket { create connect sendto ioctl };
- class dir { write read add_name };
- class file { write getattr setattr read create open execute execute_no_trans };
- }
- # for storing consumer id certs, product certs, and entitlement certs
- allow rhsmcertd_t cert_t:dir { write add_name };
- allow rhsmcertd_t cert_t:file { write create setattr };
- # syslogging entitlment validity status
- allow rhsmcertd_t syslogd_t:unix_dgram_socket sendto;
- # reading hardware details for facts population
- allow rhsmcertd_t sysfs_t:dir read;
- allow rhsmcertd_t sysfs_t:file { read getattr open };
- # allow updating /etc/yum.repos.d/redhat.repo
- allow rhsmcertd_t etc_t:dir { write add_name };
- allow rhsmcertd_t etc_t:file { write create };
- # communicate with candlepin on 443 or 8443
- allow rhsmcertd_t http_port_t:tcp_socket name_connect;
- # daemon nicing
- allow rhsmcertd_t self:process setsched;
- allow rhsmcertd_t self:capability sys_nice;
- # logging
- allow rhsmcertd_t self:unix_dgram_socket { create connect ioctl };
- allow rhsmcertd_t devlog_t:sock_file write;
- # allow reading dmi information
- allow rhsmcertd_t memory_device_t:chr_file { read open };
- allow rhsmcertd_t self:capability sys_rawio;
- # for running virt-what and from it, dmidecode
- allow rhsmcertd_t shell_exec_t:file { read execute open getattr execute_no_trans };
- allow rhsmcertd_t dmidecode_exec_t:file { read execute open getattr execute_no_trans };
Add Comment
Please, Sign In to add comment