From b88ea955f6d293c8471de57f80e3dbe86d8f354a Mon Sep 17 00:00:00 2001
From: Alan Conway <aconway@apache.org>
Date: Wed, 21 Jul 2010 16:37:04 +0000
Subject: Added selinux policy so developers can run cluster tests with
 enforcing=1

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@966302 13f79535-47bb-0310-9956-ffa450edef68
---
 cpp/etc/selinux/qpidd.te     | 10 +++++++---
 cpp/etc/selinux/qpiddevel.te | 23 +++++++++++++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 cpp/etc/selinux/qpiddevel.te

(limited to 'cpp')

diff --git a/cpp/etc/selinux/qpidd.te b/cpp/etc/selinux/qpidd.te
index 92ff3043bd..322645531e 100644
--- a/cpp/etc/selinux/qpidd.te
+++ b/cpp/etc/selinux/qpidd.te
@@ -1,6 +1,10 @@
-# selinux policy needed to run a qpid cluster with selinux in enforcing mode.
-# To build the compiled .pp file in this directory do:
-#   make -f /usr/share/selinux/devel/Makefile 
+# selinux policy needed to run the qpidd service with clustering
+# enabled and selinux in enforcing mode.
+#
+# To build the qpid.pp module in this directory do:
+#   sudo make -f /usr/share/selinux/devel/Makefile
+# To install the compiled qpidd.pp
+#   sudo semodule -i qpidd.pp
 
 policy_module(qpidd, 1.1)
 require {
diff --git a/cpp/etc/selinux/qpiddevel.te b/cpp/etc/selinux/qpiddevel.te
new file mode 100644
index 0000000000..092b9fc203
--- /dev/null
+++ b/cpp/etc/selinux/qpiddevel.te
@@ -0,0 +1,23 @@
+# selinux policy for qpid developers.
+# If you have configured a qpid source tree with cluster support, you will need
+# this policy to run the make check tests with with selinux in enforcing mode.
+#
+# To build the qpid.pp module in this directory do:
+#   sudo make -f /usr/share/selinux/devel/Makefile
+# To install the compiled qpiddevel.pp
+#   sudo semodule -i qpiddevel.pp
+
+module qpiddevel 1.0;
+
+require {
+	type unconfined_t;
+	type aisexec_t;
+	class capability sys_admin;
+	class sem { write unix_read unix_write associate read destroy };
+	class shm { unix_read write unix_write associate read destroy };
+}
+
+#============= aisexec_t ==============
+allow aisexec_t self:capability sys_admin;
+allow aisexec_t unconfined_t:sem { write unix_read unix_write associate read destroy };
+allow aisexec_t unconfined_t:shm { unix_read write unix_write associate read destroy };
-- 
cgit v1.2.1