Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 f30bf31... 21eb32c... M policy/modules/services/apcupsd.if
policy/modules/services/apcupsd.if | 28 ++++++++++++++++++++++++++--
1 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index f30bf31..21eb32c 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
type apcupsd_t, apcupsd_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
')
########################################
## <summary>
+## Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+ gen_require(`
+ type apcupsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
## Read apcupsd PID files.
## </summary>
## <param name="domain">
@@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
')
+ optional_policy(`
+ apache_search_sys_content($1)
+ ')
+
+ files_search_var($1)
domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
')
@@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t;
type apcupsd_log_t, apcupsd_lock_t;
- type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+ type apcupsd_var_run_t;
')
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
- init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+ apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
allow $2 system_r;
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/5d04ec5e/attachment.bin
On Wed, 2010-02-24 at 13:21 +0100, Dominick Grift wrote:
> Create apcupsd initrc domtrans.
> Call apcupsd initrc domtrans in apcupsd_admin.
> Remove obsolete require.
> Allow domains to search bin to enable run apcupsd executable file.
> Allow domains to search httpd system content to enable run apcupsd cgi script executables.
> Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.
Merged. Put apcupsd_initrc_exec_t back into the apcupsd_admin()
require, since it is explicitly used in the interface.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 f30bf31... 21eb32c... M policy/modules/services/apcupsd.if
> policy/modules/services/apcupsd.if | 28 ++++++++++++++++++++++++++--
> 1 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
> index f30bf31..21eb32c 100644
> --- a/policy/modules/services/apcupsd.if
> +++ b/policy/modules/services/apcupsd.if
> @@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
> type apcupsd_t, apcupsd_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
> ')
>
> ########################################
> ## <summary>
> +## Execute apcupsd server in the apcupsd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`apcupsd_initrc_domtrans',`
> + gen_require(`
> + type apcupsd_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read apcupsd PID files.
> ## </summary>
> ## <param name="domain">
> @@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
> type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
> ')
>
> + optional_policy(`
> + apache_search_sys_content($1)
> + ')
> +
> + files_search_var($1)
> domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
> ')
>
> @@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
> gen_require(`
> type apcupsd_t, apcupsd_tmp_t;
> type apcupsd_log_t, apcupsd_lock_t;
> - type apcupsd_var_run_t, apcupsd_initrc_exec_t;
> + type apcupsd_var_run_t;
> ')
>
> allow $1 apcupsd_t:process { ptrace signal_perms };
> ps_process_pattern($1, apcupsd_t)
>
> - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
> domain_system_change_exemption($1)
> role_transition $2 apcupsd_initrc_exec_t system_r;
> allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150