From: domg472@gmail.com (Dominick Grift) Date: Wed, 24 Feb 2010 12:34:09 +0100 Subject: [refpolicy] [ afs patch 1/1] Various afs fixes. Message-ID: <20100224113407.GA4406@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Fix afs_initrc_domtrans. Remove obsolete require in afs_admin. Allow domains to search var to enable read write cache. Allow domains to search bin to enable run afs executable. Signed-off-by: Dominick Grift --- :100644 100644 2a798ea... 6f926f7... M policy/modules/services/afs.if policy/modules/services/afs.if | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if index 2a798ea..6f926f7 100644 --- a/policy/modules/services/afs.if +++ b/policy/modules/services/afs.if @@ -16,6 +16,7 @@ interface(`afs_domtrans',` type afs_t, afs_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, afs_exec_t, afs_t) ') @@ -52,6 +53,7 @@ interface(`afs_rw_cache',` type afs_cache_t; ') + files_search_var($1) allow $1 afs_cache_t:file { read write }; ') @@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',` type afs_initrc_exec_t; ') - init_script_domtrans_spec($1, afs_initrc_exec_t) + init_labeled_script_domtrans($1, afs_initrc_exec_t) ') ######################################## @@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',` # interface(`afs_admin',` gen_require(` - type afs_t, afs_initrc_exec_t; + type afs_t; ') allow $1 afs_t:process { ptrace signal_perms getattr }; read_files_pattern($1, afs_t, afs_t) - # Allow afs_t to restart the apache service + # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 afs_initrc_exec_t system_r; -- 1.6.6.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/0cdeb101/attachment.bin