From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 04 Mar 2010 09:25:17 -0500
Subject: [refpolicy] [ apcupsd patch 1/1] Create apcupsd initrc
 domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete
 require. Allow domains Various apcupsd fixes.
In-Reply-To: <20100224122111.GA5954@localhost.localdomain>
References: <20100224122111.GA5954@localhost.localdomain>
Message-ID: <1267712717.11679.7.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-02-24 at 13:21 +0100, Dominick Grift wrote:
> Create apcupsd initrc domtrans.
> Call apcupsd initrc domtrans in apcupsd_admin.
> Remove obsolete require.
> Allow domains to search bin to enable run apcupsd executable file.
> Allow domains to search httpd system content to enable run apcupsd cgi script executables.
> Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.

Merged.  Put apcupsd_initrc_exec_t back into the apcupsd_admin()
require, since it is explicitly used in the interface.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 f30bf31... 21eb32c... M	policy/modules/services/apcupsd.if
>  policy/modules/services/apcupsd.if |   28 ++++++++++++++++++++++++++--
>  1 files changed, 26 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
> index f30bf31..21eb32c 100644
> --- a/policy/modules/services/apcupsd.if
> +++ b/policy/modules/services/apcupsd.if
> @@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
>  		type apcupsd_t, apcupsd_exec_t;
>  	')
>  
> +	corecmd_search_bin($1)
>  	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
>  ')
>  
>  ########################################
>  ## <summary>
> +##	Execute apcupsd server in the apcupsd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`apcupsd_initrc_domtrans',`
> +	gen_require(`
> +		type apcupsd_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read apcupsd PID files.
>  ## </summary>
>  ## <param name="domain">
> @@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
>  		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
>  	')
>  
> +	optional_policy(`
> +		apache_search_sys_content($1)
> +	')
> +
> +	files_search_var($1)
>  	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
>  ')
>  
> @@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
>  	gen_require(`
>  		type apcupsd_t, apcupsd_tmp_t;
>  		type apcupsd_log_t, apcupsd_lock_t;
> -		type apcupsd_var_run_t, apcupsd_initrc_exec_t;
> +		type apcupsd_var_run_t;
>  	')
>  
>  	allow $1 apcupsd_t:process { ptrace signal_perms };
>  	ps_process_pattern($1, apcupsd_t)
>  
> -	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> +	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
>  	domain_system_change_exemption($1)
>  	role_transition $2 apcupsd_initrc_exec_t system_r;
>  	allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150