From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 24 Feb 2010 10:10:13 -0500
Subject: [refpolicy] [ afs patch 1/1] Various afs fixes.
In-Reply-To: <20100224113407.GA4406@localhost.localdomain>
References: <20100224113407.GA4406@localhost.localdomain>
Message-ID: <1267024213.9127.67.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-02-24 at 12:34 +0100, Dominick Grift wrote:
> Fix afs_initrc_domtrans.
> Remove obsolete require in afs_admin.
> Allow domains to search var to enable read write cache.
> Allow domains to search bin to enable run afs executable.

Merged.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 2a798ea... 6f926f7... M	policy/modules/services/afs.if
>  policy/modules/services/afs.if |    8 +++++---
>  1 files changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
> index 2a798ea..6f926f7 100644
> --- a/policy/modules/services/afs.if
> +++ b/policy/modules/services/afs.if
> @@ -16,6 +16,7 @@ interface(`afs_domtrans',`
>  		type afs_t, afs_exec_t;
>  	')
>  
> +	corecmd_search_bin($1)
>  	domtrans_pattern($1, afs_exec_t, afs_t)
>  ')
>  
> @@ -52,6 +53,7 @@ interface(`afs_rw_cache',`
>  		type afs_cache_t;
>  	')
>  
> +	files_search_var($1)
>  	allow $1 afs_cache_t:file { read write };
>  ')
>  
> @@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',`
>  		type afs_initrc_exec_t;
>  	')
>  
> -	init_script_domtrans_spec($1, afs_initrc_exec_t)
> +	init_labeled_script_domtrans($1, afs_initrc_exec_t)
>  ')
>  
>  ########################################
> @@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',`
>  #
>  interface(`afs_admin',`
>  	gen_require(`
> -		type afs_t, afs_initrc_exec_t;
> +		type afs_t;
>  	')
>  
>  	allow $1 afs_t:process { ptrace signal_perms getattr };
>  	read_files_pattern($1, afs_t, afs_t)
>  
> -	# Allow afs_t to restart the apache service
> +	# Allow afs_admin to restart the afs service
>  	afs_initrc_domtrans($1)
>  	domain_system_change_exemption($1)
>  	role_transition $2 afs_initrc_exec_t system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150