Bug 989473

Summary: Need policy for OpenLMI-PowerManagement
Product: Red Hat Enterprise Linux 7 Reporter: Radek Novacek <rnovacek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dominick.grift, dwalsh, mgrepl, mmalik, ovasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-68.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 989472 Environment:
Last Closed: 2014-06-13 09:46:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 989472    
Bug Blocks:    

Description Radek Novacek 2013-07-29 10:38:27 UTC 
+++ This bug was initially created as a clone of Bug #989472 +++

OpenLMI-PowerManagement provider needs a policy. This is similar request as bz979037 and bz983422 and bz987951.

PowerManagement provider uses D-Bus to talk to the upower D-Bus service.

Audit messages are attached.

Result of `ausearch -m avc -ts 12:16 | audit2allow`:
#============= pegasus_openlmi_powermanagement_t ==============
allow pegasus_openlmi_powermanagement_t passwd_file_t:file { read getattr open };
allow pegasus_openlmi_powermanagement_t pegasus_data_t:dir write;
allow pegasus_openlmi_powermanagement_t self:capability { setuid setgid };
allow pegasus_openlmi_powermanagement_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow pegasus_openlmi_powermanagement_t self:udp_socket { create connect getattr };
allow pegasus_openlmi_powermanagement_t system_dbusd_t:unix_stream_socket connectto;
allow pegasus_openlmi_powermanagement_t system_dbusd_var_run_t:dir search;
allow pegasus_openlmi_powermanagement_t system_dbusd_var_run_t:sock_file write;
Comment 2 Miroslav Grepl 2013-07-29 12:29:13 UTC 
Should be probably covered by 

pegasus_openlmi_system_t

I am just thinking how to do it. We have

pegasus_openlmi_domain_template(account)
pegasus_openlmi_domain_template(logicalfile)
pegasus_openlmi_domain_template(networking)
pegasus_openlmi_domain_template(service)
pegasus_openlmi_domain_template(storage)
pegasus_openlmi_domain_template(system)
pegasus_openlmi_domain_template(unconfined)


I think I should merge "networking" to "system" and "service" should be probably "admin". We can not add a new type for each provider.
Comment 3 Miroslav Grepl 2013-07-30 12:51:57 UTC 
Ok, I added fixes to F19, will back port.
Comment 6 Ludek Smid 2014-06-13 09:46:35 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.