trunk: Drop write permission from fs_read_rpc_sockets().

Changelog

@@ -1,3 +1,4 @@
+- Drop write permission from fs_read_rpc_sockets().
 - Remove unused udev_runtime_t type.
 - Patch for RadSec port from Glen Turner.
 - Enable network_peer_controls policy capability from Paul Moore.

policy/modules/kernel/filesystem.if

@@ -1935,6 +1935,24 @@ interface(`fs_read_rpc_sockets',`
 		type rpc_pipefs_t;
 	')
 
+	allow $1 rpc_pipefs_t:sock_file read;
+')
+
+########################################
+## <summary>
+##	Read and write sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_rpc_sockets',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
 	allow $1 rpc_pipefs_t:sock_file { read write };
 ')
 

policy/modules/kernel/filesystem.te

@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.11.1)
+policy_module(filesystem, 1.11.2)
 
 ########################################
 #

policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc, 1.10.2)
+policy_module(rpc, 1.10.3)
 
 ########################################
 #
@@ -76,7 +76,7 @@ files_manage_mounttab(rpcd_t)
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
-fs_read_rpc_sockets(rpcd_t) 
+fs_rw_rpc_sockets(rpcd_t) 
 
 selinux_dontaudit_read_fs(rpcd_t)
 
@@ -163,7 +163,7 @@ kernel_search_network_sysctl(gssd_t)
 corecmd_exec_bin(gssd_t)
 
 fs_list_rpc(gssd_t) 
-fs_read_rpc_sockets(gssd_t) 
+fs_rw_rpc_sockets(gssd_t) 
 fs_read_rpc_files(gssd_t) 
 
 files_list_tmp(gssd_t)