From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 19 Oct 2012 21:32:17 +0200
Subject: [refpolicy] [PATCH 6/7] Shorewall admins execute shorewall too
In-Reply-To: <1350672840-14590-7-git-send-email-sven.vermeulen@siphos.be>
References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
	<1350672840-14590-7-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350675137.12496.26.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> The shorewall binary, labeled shorewall_exec_t, is also executed by shorewall
> administrators (such as for validating the configuration file, showing
> capabilities, updating configurations, etc.)
> 
> Add in this ability inside the shorewall_admin interface.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  shorewall.if |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/shorewall.if b/shorewall.if
> index 781ad7e..9574bb5 100644
> --- a/shorewall.if
> +++ b/shorewall.if
> @@ -173,6 +173,7 @@ interface(`shorewall_admin',`
>  	gen_require(`
>  		type shorewall_t, shorewall_lock_t;
>  		type shorewall_log_t;
> +		type shorewall_exec_t;
>  		type shorewall_initrc_exec_t, shorewall_var_lib_t;
>  		type shorewall_tmp_t, shorewall_etc_t;
>  	')
> @@ -185,6 +186,8 @@ interface(`shorewall_admin',`
>  	role_transition $2 shorewall_initrc_exec_t system_r;
>  	allow $2 system_r;
>  
> +	can_exec($1, shorewall_exec_t)
> +
>  	files_list_etc($1)
>  	admin_pattern($1, shorewall_etc_t)
>  
This was merged , thanks