From: dominick.grift@gmail.com (Dominick Grift)
Date: Tue,  7 Aug 2012 20:55:57 +0200
Subject: [refpolicy] [PATCH] oidentd fixes
Message-ID: <1344365757-12896-1-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


oident init script in debian is in /etc/init.d
~/.oidentd.conf is a single file
remove oidentd_read_user_content because interfaces aren' for internal
usage

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/oident.fc b/oident.fc
index 5840ea8..5a99b3d 100644
--- a/oident.fc
+++ b/oident.fc
@@ -1,8 +1,9 @@
-HOME_DIR/\.oidentd.conf			gen_context(system_u:object_r:oidentd_home_t, s0)
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
 
 /etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
 /etc/oidentd_masq\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
 
 /etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
+/etc/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
 
 /usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
diff --git a/oident.if b/oident.if
index bb4fae5..bfdcce2 100644
--- a/oident.if
+++ b/oident.if
@@ -9,26 +9,6 @@
 
 ########################################
 ## <summary>
-##	Allow the specified domain to read
-##	Oidentd personal configuration files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`oident_read_user_content', `
-	gen_require(`
-		type oidentd_home_t;
-	')
-
-	allow $1 oidentd_home_t:file read_file_perms;
-	userdom_search_user_home_dirs($1)
-')
-
-########################################
-## <summary>
 ##	Allow the specified domain to create, read, write, and delete
 ##	Oidentd personal configuration files.
 ## </summary>
diff --git a/oident.te b/oident.te
index 8845174..6e5be53 100644
--- a/oident.te
+++ b/oident.te
@@ -34,6 +34,8 @@
 
 allow oidentd_t oidentd_config_t:file read_file_perms;
 
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
 corenet_all_recvfrom_unlabeled(oidentd_t)
 corenet_all_recvfrom_netlabel(oidentd_t)
 corenet_tcp_sendrecv_generic_if(oidentd_t)
@@ -58,7 +60,7 @@
 
 sysnet_read_config(oidentd_t)
 
-oident_read_user_content(oidentd_t)
+userdom_search_user_home_dirs(oidentd_t)
 
 optional_policy(`
 	nis_use_ypbind(oidentd_t)