Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2014-08-30 22:15:48 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2014-08-30 22:15:48 +0200
commit02fa620d3ded0f4b2eeca78cb7c6bb13542c19af (patch)
treef568646ef4003c4d3e47fe47b9b10c419f79998f
parentAllow salt minions to shut down the system (diff)
downloadhardened-refpolicy-02fa620d3ded0f4b2eeca78cb7c6bb13542c19af.tar.gz
hardened-refpolicy-02fa620d3ded0f4b2eeca78cb7c6bb13542c19af.tar.bz2
hardened-refpolicy-02fa620d3ded0f4b2eeca78cb7c6bb13542c19af.zip
Updates on salt policy - interaction with postfix
Diffstat
-rw-r--r--policy/modules/contrib/salt.te11
1 files changed, 10 insertions, 1 deletions
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 180305f06..279edfba5 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -200,7 +200,7 @@ tunable_policy(`salt_master_read_nfs',`
allow salt_minion_t self:capability { fsetid chown net_admin sys_admin sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
-allow salt_minion_t self:process { signull };
+allow salt_minion_t self:process { signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
allow salt_minion_t self:udp_socket create_socket_perms;
allow salt_minion_t self:unix_dgram_socket create_socket_perms;
@@ -277,8 +277,12 @@ fs_getattr_all_fs(salt_minion_t)
getty_use_fds(salt_minion_t)
+init_exec_rc(salt_minion_t)
+
miscfiles_read_localization(salt_minion_t)
+seutil_domtrans_setfiles(salt_minion_t)
+
sysnet_exec_ifconfig(salt_minion_t)
sysnet_read_config(salt_minion_t)
@@ -298,6 +302,11 @@ optional_policy(`
')
optional_policy(`
+ postfix_domtrans_master(salt_minion_t)
+ postfix_run_map(salt_minion_t, salt_minion_roles)
+')
+
+optional_policy(`
shutdown_domtrans(salt_minion_t)
')