FIDO Device Onboard DB support is missing some SELinux Policies
·1 min
The new 0.5.0 version of fdo-device-onboard-rs comes with preliminary database support as Tech Preview. However, some of the downstream releases don’t work properly as they are missing some needed SELinux policies:
module fdo-db 1.0;
require {
type postgresql_port_t;
type fdo_conf_t;
type fdo_t;
type etc_t;
type krb5_keytab_t;
type sssd_var_run_t;
type fdo_var_lib_t;
type sssd_t;
class tcp_socket name_connect;
class dir { add_name remove_name search write };
class sock_file write;
class unix_stream_socket connectto;
class file { append create rename setattr unlink write };
}
#============= fdo_t ==============
allow fdo_t etc_t:file write;
allow fdo_t fdo_conf_t:file { append create rename setattr unlink write };
allow fdo_t fdo_var_lib_t:dir { add_name remove_name write };
allow fdo_t fdo_var_lib_t:file { create setattr unlink write };
allow fdo_t krb5_keytab_t:dir search;
allow fdo_t postgresql_port_t:tcp_socket name_connect;
allow fdo_t sssd_t:unix_stream_socket connectto;
allow fdo_t sssd_var_run_t:sock_file write;
To install them just save the content above as fdo-db.te
and run the following
commands:
[root@localhost:~]# dnf install -y policycoreutils
[root@localhost:~]# checkmodule -M -m -o fdo-db.mod fdo-db.te
[root@localhost:~]# semodule_package -o fdo-db.pp -m fdo-db.mod
[root@localhost:~]# semodule -i fdo-db.pp