From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 20:53:59 +0200
Subject: [refpolicy] [PATCH 6/7] Shorewall admins execute shorewall too
In-Reply-To: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350672840-14590-7-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The shorewall binary, labeled shorewall_exec_t, is also executed by shorewall
administrators (such as for validating the configuration file, showing
capabilities, updating configurations, etc.)

Add in this ability inside the shorewall_admin interface.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 shorewall.if |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/shorewall.if b/shorewall.if
index 781ad7e..9574bb5 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -173,6 +173,7 @@ interface(`shorewall_admin',`
 	gen_require(`
 		type shorewall_t, shorewall_lock_t;
 		type shorewall_log_t;
+		type shorewall_exec_t;
 		type shorewall_initrc_exec_t, shorewall_var_lib_t;
 		type shorewall_tmp_t, shorewall_etc_t;
 	')
@@ -185,6 +186,8 @@ interface(`shorewall_admin',`
 	role_transition $2 shorewall_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	can_exec($1, shorewall_exec_t)
+
 	files_list_etc($1)
 	admin_pattern($1, shorewall_etc_t)
 
-- 
1.7.8.6