pagure: expand the SELinux pagure policy

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
2020-11-17 15:24:35 +01:00 · 2020-11-17 15:24:35 +01:00 · c025a442eb
commit c025a442eb
parent a2dded035a
1 changed files with 5 additions and 5 deletions
--- a/roles/pagure/files/selinux/pagure.te
+++ b/roles/pagure/files/selinux/pagure.te
@ -1,4 +1,4 @@
-module pagure 1.1;
+module pagure 1.2;
 require {
    type gitosis_var_lib_t;
@ -13,14 +13,14 @@ require {
    type var_run_t;
    type var_t;
    class dir { add_name remove_name write };
-    class file { create link setattr write execute execute_no_trans getattr map open read rename unlink };
+    class file { create link setattr write execute execute_no_trans getattr map open read rename unlink ioctrl };
    class process execmem;
    class sock_file write;
    class tcp_socket name_connect;
 }
 allow httpd_t gitosis_var_lib_t:dir { add_name remove_name write };
-allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write };
+allow httpd_t gitosis_var_lib_t:file { create link setattr unlink write rename };
 #============= httpd_t ==============
@ -30,11 +30,11 @@ allow httpd_t httpd_log_t:file { rename unlink };
 #!!!! This avc is allowed in the current policy
 allow httpd_t self:process execmem;
-allow httpd_t var_log_t:file { open rename };
+allow httpd_t var_log_t:file { open rename unlink };
 #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
 allow httpd_t var_t:file map;
-allow httpd_t var_t:file { getattr open read };
+allow httpd_t var_t:file { getattr open read ioctl };
 #============= postfix_cleanup_t ==============
 allow postfix_cleanup_t var_run_t:sock_file write;