Add label rshim_var_run_t for /run/rshim.pid

Add SELinux label into rshim policy so rshim_t process domain can manage pidfiles stored in /run/rshim.pid Signed-off-by: Lukas Vrabec <[email protected]>
fedora-selinux · Nov 22, 2024 · 6b64dd0 · 6b64dd0
1 parent a123037
commit 6b64dd0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/policy/modules/contrib/rshim.fc b/policy/modules/contrib/rshim.fc
@@ -1,3 +1,5 @@
 /usr/bin/rshim				--	gen_context(system_u:object_r:rshim_exec_t,s0)
 
+/run/rshim\.pid	--	gen_context(system_u:object_r:rshim_var_run_t,s0)
+
 /usr/lib/systemd/system/rshim.*		--	gen_context(system_u:object_r:rshim_unit_file_t,s0)
diff --git a/policy/modules/contrib/rshim.te b/policy/modules/contrib/rshim.te
@@ -9,6 +9,9 @@ type rshim_t;
 type rshim_exec_t;
 init_daemon_domain(rshim_t, rshim_exec_t)
 
+type rshim_var_run_t;
+files_pid_file(rshim_var_run_t)
+
 type rshim_unit_file_t;
 systemd_unit_file(rshim_unit_file_t)
 
@@ -24,6 +27,9 @@ allow rshim_t self:system module_load;
 allow rshim_t self:unix_stream_socket create_stream_socket_perms;
 allow rshim_t self:netlink_kobject_uevent_socket getopt;
 
+manage_files_pattern(rshim_t, rshim_var_run_t, rshim_var_run_t)
+files_pid_filetrans(rshim_t, rshim_var_run_t, file)
+
 kernel_read_proc_files(rshim_t)
 
 corecmd_exec_shell(rshim_t)