From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 4 Nov 2017 14:10:05 -0400
Subject: [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect
In-Reply-To: <20171102173047.21952-3-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
	<20171102173047.21952-3-jason@perfinion.com>
Message-ID: <22e51097-f099-d90e-3c77-22cdaf105012@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/02/2017 01:30 PM, Jason Zaman wrote:
> kernel AVC:
>   * Starting gssproxy ...
> Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
>   * start-stop-daemon: failed to start `gssproxy'
> 
> type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
> ---
>   policy/modules/kernel/kernel.te     | 4 ++++
>   policy/modules/roles/sysadm.te      | 4 ++++
>   policy/modules/system/userdomain.if | 4 ++++
>   3 files changed, 12 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 0fc74648..22d1ebaf 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -423,6 +423,10 @@ optional_policy(`
>   	rpc_tcp_rw_nfs_sockets(kernel_t)
>   	rpc_udp_rw_nfs_sockets(kernel_t)
>   
> +	optional_policy(`
> +		gssproxy_stream_connect(kernel_t)
> +	')
> +
>   	tunable_policy(`nfs_export_all_ro',`
>   		fs_getattr_noxattr_fs(kernel_t)
>   		fs_list_noxattr_fs(kernel_t)
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 93c9ee5f..d25dd34b 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -455,6 +455,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	gssproxy_admin(sysadm_t)
> +')
> +
> +optional_policy(`
>   	hadoop_role(sysadm_r, sysadm_t)
>   ')
>   
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index efb31d0a..49eff3a6 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
>   	')
>   
>   	optional_policy(`
> +		gssproxy_stream_connect($1_t)
> +	')
> +
> +	optional_policy(`
>   		hwloc_exec_dhwd($1_t)
>   		hwloc_read_runtime_files($1_t)
>   	')

Merged.

-- 
Chris PeBenito