110 строки
3.4 KiB
Diff
110 строки
3.4 KiB
Diff
From 0e834c0829623cfe53e1aa3a3cd387c3ac13b6a8 Mon Sep 17 00:00:00 2001
|
|
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
Date: Wed, 8 Feb 2023 18:57:16 +0000
|
|
Subject: [PATCH 22/35] cloudinit: Add support for installing RPMs and setting
|
|
passwords.
|
|
|
|
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
---
|
|
policy/modules/admin/cloudinit.if | 19 +++++++++++++++++++
|
|
policy/modules/admin/cloudinit.te | 12 ++++++++++++
|
|
policy/modules/admin/rpm.te | 4 ++++
|
|
3 files changed, 35 insertions(+)
|
|
|
|
MSFT_TAG: pending
|
|
|
|
diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if
|
|
index 4469d7b17..604f56dc4 100644
|
|
--- a/policy/modules/admin/cloudinit.if
|
|
+++ b/policy/modules/admin/cloudinit.if
|
|
@@ -1,5 +1,24 @@
|
|
## <summary>Init scripts for cloud VMs</summary>
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write inherited cloud-init pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cloudinit_rw_inherited_pipes',`
|
|
+ gen_require(`
|
|
+ type cloud_init_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 cloud_init_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+ allow $1 cloud_init_t:fd use;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Create cloud-init runtime directory.
|
|
diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te
|
|
index 0a82d4436..377891941 100644
|
|
--- a/policy/modules/admin/cloudinit.te
|
|
+++ b/policy/modules/admin/cloudinit.te
|
|
@@ -1,5 +1,9 @@
|
|
policy_module(cloudinit)
|
|
|
|
+gen_require(`
|
|
+ class passwd passwd;
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Declarations
|
|
@@ -28,6 +32,7 @@ allow cloud_init_t self:capability { chown dac_override dac_read_search fowner f
|
|
dontaudit cloud_init_t self:capability { net_admin sys_tty_config };
|
|
allow cloud_init_t self:fifo_file rw_fifo_file_perms;
|
|
allow cloud_init_t self:unix_dgram_socket create_socket_perms;
|
|
+allow cloud_init_t self:passwd passwd;
|
|
|
|
allow cloud_init_t cloud_init_log_t:file { create_file_perms append_file_perms setattr };
|
|
logging_log_filetrans(cloud_init_t, cloud_init_log_t, file)
|
|
@@ -37,6 +42,7 @@ manage_lnk_files_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_
|
|
manage_dirs_pattern(cloud_init_t, cloud_init_runtime_t, cloud_init_runtime_t)
|
|
files_runtime_filetrans(cloud_init_t, cloud_init_runtime_t, { dir file lnk_file })
|
|
|
|
+can_exec(cloud_init_t, cloud_init_state_t)
|
|
manage_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
|
|
manage_lnk_files_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
|
|
manage_dirs_pattern(cloud_init_t, cloud_init_state_t, cloud_init_state_t)
|
|
@@ -98,10 +104,16 @@ sysnet_domtrans_ifconfig(cloud_init_t)
|
|
|
|
term_write_console(cloud_init_t)
|
|
|
|
+udev_read_runtime_files(cloud_init_t)
|
|
+
|
|
usermanage_domtrans_useradd(cloud_init_t)
|
|
usermanage_domtrans_groupadd(cloud_init_t)
|
|
usermanage_domtrans_passwd(cloud_init_t)
|
|
|
|
+optional_policy(`
|
|
+ rpm_domtrans(cloud_init_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
systemd_dbus_chat_hostnamed(cloud_init_t)
|
|
')
|
|
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
|
|
index 14d65ae13..d43e62bd0 100644
|
|
--- a/policy/modules/admin/rpm.te
|
|
+++ b/policy/modules/admin/rpm.te
|
|
@@ -369,6 +369,10 @@ optional_policy(`
|
|
bootloader_run(rpm_script_t, rpm_roles)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ cloudinit_rw_inherited_pipes(rpm_script_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
dbus_system_bus_client(rpm_script_t)
|
|
|
|
--
|
|
2.34.1
|
|
|