Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 2a798ea... 6f926f7... M policy/modules/services/afs.if
policy/modules/services/afs.if | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 2a798ea..6f926f7 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -16,6 +16,7 @@ interface(`afs_domtrans',`
type afs_t, afs_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, afs_exec_t, afs_t)
')
@@ -52,6 +53,7 @@ interface(`afs_rw_cache',`
type afs_cache_t;
')
+ files_search_var($1)
allow $1 afs_cache_t:file { read write };
')
@@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',`
type afs_initrc_exec_t;
')
- init_script_domtrans_spec($1, afs_initrc_exec_t)
+ init_labeled_script_domtrans($1, afs_initrc_exec_t)
')
########################################
@@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',`
#
interface(`afs_admin',`
gen_require(`
- type afs_t, afs_initrc_exec_t;
+ type afs_t;
')
allow $1 afs_t:process { ptrace signal_perms getattr };
read_files_pattern($1, afs_t, afs_t)
- # Allow afs_t to restart the apache service
+ # Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 afs_initrc_exec_t system_r;
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/0cdeb101/attachment.bin
On Wed, 2010-02-24 at 12:34 +0100, Dominick Grift wrote:
> Fix afs_initrc_domtrans.
> Remove obsolete require in afs_admin.
> Allow domains to search var to enable read write cache.
> Allow domains to search bin to enable run afs executable.
Merged.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 2a798ea... 6f926f7... M policy/modules/services/afs.if
> policy/modules/services/afs.if | 8 +++++---
> 1 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
> index 2a798ea..6f926f7 100644
> --- a/policy/modules/services/afs.if
> +++ b/policy/modules/services/afs.if
> @@ -16,6 +16,7 @@ interface(`afs_domtrans',`
> type afs_t, afs_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, afs_exec_t, afs_t)
> ')
>
> @@ -52,6 +53,7 @@ interface(`afs_rw_cache',`
> type afs_cache_t;
> ')
>
> + files_search_var($1)
> allow $1 afs_cache_t:file { read write };
> ')
>
> @@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',`
> type afs_initrc_exec_t;
> ')
>
> - init_script_domtrans_spec($1, afs_initrc_exec_t)
> + init_labeled_script_domtrans($1, afs_initrc_exec_t)
> ')
>
> ########################################
> @@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',`
> #
> interface(`afs_admin',`
> gen_require(`
> - type afs_t, afs_initrc_exec_t;
> + type afs_t;
> ')
>
> allow $1 afs_t:process { ptrace signal_perms getattr };
> read_files_pattern($1, afs_t, afs_t)
>
> - # Allow afs_t to restart the apache service
> + # Allow afs_admin to restart the afs service
> afs_initrc_domtrans($1)
> domain_system_change_exemption($1)
> role_transition $2 afs_initrc_exec_t system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150