[refpolicy] [ apcupsd patch 1/1] Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains Various apcupsd fixes.
Christopher J. PeBenito
cpebenito at tresys.com
Thu Mar 4 08:25:17 CST 2010
On Wed, 2010-02-24 at 13:21 +0100, Dominick Grift wrote:
> Create apcupsd initrc domtrans.
> Call apcupsd initrc domtrans in apcupsd_admin.
> Remove obsolete require.
> Allow domains to search bin to enable run apcupsd executable file.
> Allow domains to search httpd system content to enable run apcupsd cgi script executables.
> Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.
Merged. Put apcupsd_initrc_exec_t back into the apcupsd_admin()
require, since it is explicitly used in the interface.
> Signed-off-by: Dominick Grift <domg472 at gmail.com>
> ---
> :100644 100644 f30bf31... 21eb32c... M policy/modules/services/apcupsd.if
> policy/modules/services/apcupsd.if | 28 ++++++++++++++++++++++++++--
> 1 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
> index f30bf31..21eb32c 100644
> --- a/policy/modules/services/apcupsd.if
> +++ b/policy/modules/services/apcupsd.if
> @@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
> type apcupsd_t, apcupsd_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
> ')
>
> ########################################
> ## <summary>
> +## Execute apcupsd server in the apcupsd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`apcupsd_initrc_domtrans',`
> + gen_require(`
> + type apcupsd_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read apcupsd PID files.
> ## </summary>
> ## <param name="domain">
> @@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
> type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
> ')
>
> + optional_policy(`
> + apache_search_sys_content($1)
> + ')
> +
> + files_search_var($1)
> domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
> ')
>
> @@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
> gen_require(`
> type apcupsd_t, apcupsd_tmp_t;
> type apcupsd_log_t, apcupsd_lock_t;
> - type apcupsd_var_run_t, apcupsd_initrc_exec_t;
> + type apcupsd_var_run_t;
> ')
>
> allow $1 apcupsd_t:process { ptrace signal_perms };
> ps_process_pattern($1, apcupsd_t)
>
> - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
> + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
> domain_system_change_exemption($1)
> role_transition $2 apcupsd_initrc_exec_t system_r;
> allow $2 system_r;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list