From: domg472@gmail.com (Dominick Grift)
Date: Wed, 24 Feb 2010 13:21:15 +0100
Subject: [refpolicy] [ apcupsd patch 1/1] Create apcupsd initrc domtrans.
 Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require.
 Allow domains Various apcupsd fixes.
Message-ID: <20100224122111.GA5954@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 f30bf31... 21eb32c... M	policy/modules/services/apcupsd.if
 policy/modules/services/apcupsd.if |   28 ++++++++++++++++++++++++++--
 1 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index f30bf31..21eb32c 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
 		type apcupsd_t, apcupsd_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+	gen_require(`
+		type apcupsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read apcupsd PID files.
 ## </summary>
 ## <param name="domain">
@@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
 		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
 	')
 
+	optional_policy(`
+		apache_search_sys_content($1)
+	')
+
+	files_search_var($1)
 	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
 ')
 
@@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t;
 		type apcupsd_log_t, apcupsd_lock_t;
-		type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+		type apcupsd_var_run_t;
 	')
 
 	allow $1 apcupsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, apcupsd_t)
 
-	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
 	allow $2 system_r;
-- 
1.6.6.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100224/5d04ec5e/attachment.bin