Commit c5897e7c by Czémán Arnold

fwdriwer: clean firewall-init selinux module. New order in salt/allinone.sls

parent f2b8bdf0
include: include:
- manager
- agentdriver - agentdriver
- graphite - graphite
- manager
- monitor-client - monitor-client
- storagedriver - storagedriver
- vmdriver - vmdriver
......
...@@ -89,7 +89,20 @@ openvswitch2: ...@@ -89,7 +89,20 @@ openvswitch2:
- required_in: - required_in:
- cmd: ovs-bridge - cmd: ovs-bridge
salt://fwdriver/files/install_selinux_module.sh: /root/firewall-init.te:
cmd.script file.managed:
- source: salt://fwdriver/files/firewall-init.te
- template: jinja
- mode: 644
firewall-init_semodule:
cmd.run:
- cwd: /root
- user: root
- name: checkmodule -M -m -o firewall-init.mod firewall-init.te; semodule_package -o firewall-init.pp -m firewall-init.mod; semodule -i firewall-init.pp
- unless: semodule -l |grep -qs ^vmdriver
- require:
- file: /root/firewall-init.te
{% endif %} {% endif %}
module firewall-init 1.0;
require {
type ifconfig_t;
type ifconfig_var_run_t;
type virtio_device_t;
type root_t;
class dir mounton;
class chr_file { read write };
}
#============= ifconfig_t ==============
#!!!! This avc is allowed in the current policy
allow ifconfig_t ifconfig_var_run_t:dir mounton;
#!!!! This avc is allowed in the current policy
allow ifconfig_t root_t:dir mounton;
#!!!! This avc is allowed in the current policy
allow ifconfig_t virtio_device_t:chr_file { read write };
#!/bin/bash
semodule -i firewall-init.pp
exit 0
...@@ -26,6 +26,9 @@ firewall2: ...@@ -26,6 +26,9 @@ firewall2:
- require: - require:
- network: vm - network: vm
salt://network/files/fix_dhcp.sh:
cmd.script
salt://network/files/reload_firewall.sh: salt://network/files/reload_firewall.sh:
cmd.script: cmd.script:
- template: jinja - template: jinja
...@@ -33,9 +36,6 @@ salt://network/files/reload_firewall.sh: ...@@ -33,9 +36,6 @@ salt://network/files/reload_firewall.sh:
- require: - require:
- service: firewall2 - service: firewall2
salt://network/files/fix_dhcp.sh:
cmd.script
isc-dhcp-server: isc-dhcp-server:
service: service:
- running - running
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment