SELinux updates

[bklang]

Original forum post.

The following policy addition makes OpenShift nodes work for me. I've never attempted to write SELinux policies before; this policy was created with audit2allow as described in the forum post. It Works For Me, but I'd appreciate an expert review and help integrating into the RPM sources.

require {
    type cgroup_t;
    type sshd_t;
    type openshift_t;
    type devpts_t;
    type ssh_home_t;
    class tcp_socket { read write getattr setopt getopt };
    class dir { getattr search };
    class file { write getattr open };
    class netlink_audit_socket { nlmsg_relay write create };
}

#============= openshift_t ==============
allow openshift_t cgroup_t:dir { getattr search };
#!!!! The source type 'openshift_t' can write to a 'file' of the following types:
# anon_inodefs_t, openshift_rw_file_t, openshift_tmp_t, hugetlbfs_t, postfix_spool_maildrop_t, openshift_file_type, security_t

allow openshift_t cgroup_t:file { write getattr open };
allow openshift_t devpts_t:dir search;
allow openshift_t self:netlink_audit_socket { nlmsg_relay write create };
allow openshift_t ssh_home_t:dir search;
allow openshift_t sshd_t:tcp_socket { read write getattr setopt getopt };