diff options
Diffstat (limited to 'qpid/cpp/etc/selinux/qpiddevel.te')
-rw-r--r-- | qpid/cpp/etc/selinux/qpiddevel.te | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/qpid/cpp/etc/selinux/qpiddevel.te b/qpid/cpp/etc/selinux/qpiddevel.te new file mode 100644 index 0000000000..10c5dfc880 --- /dev/null +++ b/qpid/cpp/etc/selinux/qpiddevel.te @@ -0,0 +1,54 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# selinux policy for qpid developers. +# If you have configured a qpid source tree with cluster support, you will need +# this policy to run the make check tests with with selinux in enforcing mode. +# +# To build the qpid.pp module in this directory do: +# sudo make -f /usr/share/selinux/devel/Makefile +# To install the compiled qpiddevel.pp +# sudo semodule -i qpiddevel.pp + +policy_module(qpiddevel, 1.1) + +gen_require(` + type unconfined_t; + type unconfined_execmem_t; + type ccs_t; + class capability sys_admin; + class sem { write unix_read unix_write associate read destroy }; + class shm { unix_read write unix_write associate read destroy }; +') + +allow ccs_t self:capability sys_admin; +allow ccs_t unconfined_t:sem { write unix_read unix_write associate read destroy }; +allow ccs_t unconfined_t:shm { unix_read write unix_write associate read destroy }; + +optional_policy(` + gen_require(` + type aisexec_t; + ') + allow aisexec_t self:capability sys_admin; + allow aisexec_t unconfined_t:sem { read write unix_read unix_write associate destroy }; + allow aisexec_t unconfined_t:shm { read write unix_read unix_write associate destroy }; + allow aisexec_t unconfined_execmem_t:sem { write unix_read unix_write associate read destroy }; + allow aisexec_t unconfined_execmem_t:shm { write unix_read unix_write associate read destroy }; + +') |