Fix some names in passenger policy

policy/modules/apps/chrome.te

@@ -38,6 +38,9 @@ fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
 kernel_read_system_state(chrome_sandbox_t)
 kernel_read_kernel_sysctls(chrome_sandbox_t)
 
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+
 corecmd_exec_bin(chrome_sandbox_t)
 
 domain_dontaudit_read_all_domains_state(chrome_sandbox_t)

policy/modules/apps/nsplugin.te

@@ -63,6 +63,8 @@ allow nsplugin_t self:msgq create_msgq_perms;
 allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow nsplugin_t self:unix_dgram_socket create_socket_perms;
 allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 
 tunable_policy(`allow_nsplugin_execmem',`
 	allow nsplugin_t self:process { execstack execmem };

policy/modules/services/apache.te

@@ -724,7 +724,7 @@ optional_policy(`
 
 optional_policy(`
         passenger_domtrans(httpd_t)
-        passenger_manage_state_content(httpd_t)
+        passenger_manage_pid_content(httpd_t)
         passenger_read_lib_files(httpd_t)
 ')
 

policy/modules/services/corosync.te

@@ -5,13 +5,6 @@ policy_module(corosync, 1.0.0)
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow corosync to read and write generic tmpfs files.
-## </p>
-## </desc>
-gen_tunable(allow_corosync_rw_tmpfs, false)
-
 type corosync_t;
 type corosync_exec_t;
 init_daemon_domain(corosync_t, corosync_exec_t)
@@ -98,8 +91,13 @@ miscfiles_read_localization(corosync_t)
 userdom_delete_user_tmpfs_files(corosync_t)
 userdom_rw_user_tmpfs_files(corosync_t)
 
-tunable_policy(`allow_corosync_rw_tmpfs',`
+optional_policy(`
-    fs_rw_tmpfs_files(corosync_t)
+	gen_require(`
+		attribute unconfined_services;
+	')	
+
+	fs_manage_tmpfs_files(corosync_t)
+	init_manage_script_status_files(corosync_t)
 ')
 
 optional_policy(`

policy/modules/services/gnomeclock.fc

@@ -1,2 +1,4 @@
 /usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 
+/usr/libexec/gsd-datetime-mechanism		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+

policy/modules/services/passenger.if

@@ -13,6 +13,7 @@
 interface(`passenger_domtrans',`
         gen_require(`
                 type passenger_t;
+                type passenger_exec_t;
         ')
 
 	allow $1 self:capability { fowner fsetid };
@@ -26,7 +27,7 @@ interface(`passenger_domtrans',`
 
 ######################################
 ## <summary>
-##      Manage passenger state content.
+##      Manage passenger var_run content.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
@@ -34,16 +35,16 @@ interface(`passenger_domtrans',`
 ##      </summary>
 ## </param>
 #
-interface(`passenger_manage_state_content',`
+interface(`passenger_manage_pid_content',`
         gen_require(`
-                type passenger_state_t;
+                type passenger_var_run_t;
         ')
 
         files_search_pids($1)
-	manage_dirs_pattern($1, passenger_state_t, passenger_state_t)
+	manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
-        manage_files_pattern($1, passenger_state_t, passenger_state_t)
+        manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-	manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t)
+	manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
-	manage_sock_files_pattern($1, passenger_state_t, passenger_state_t)
+	manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
 ')
 
 ########################################

policy/modules/services/passenger.te

@@ -18,8 +18,8 @@ files_tmp_file(passenger_tmp_t)
 type passenger_var_lib_t;
 files_type(passenger_var_lib_t)
 
-type passenger_state_t;
+type passenger_var_run_t;
-files_pid_file(passenger_state_t)
+files_pid_file(passenger_var_run_t)
 
 permissive passenger_t;
 
@@ -34,15 +34,16 @@ allow passenger_t self:process signal;
 allow passenger_t self:fifo_file rw_fifo_file_perms;
 allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
-manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t)
-
 files_search_var_lib(passenger_t)
 manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
 manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
 
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
 kernel_read_system_state(passenger_t)
 kernel_read_kernel_sysctls(passenger_t)
 

policy/modules/system/init.if

@@ -1539,6 +1539,25 @@ interface(`init_getattr_script_status_files',`
 	getattr_files_pattern($1, initrc_state_t, initrc_state_t)
 ')
 
+########################################
+## <summary>
+##	Manage init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read init script

policy/modules/system/mount.te

@@ -141,6 +141,8 @@ fs_read_tmpfs_symlinks(mount_t)
 fs_read_fusefs_files(mount_t)
 fs_manage_nfs_dirs(mount_t)
 fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
 
 mls_file_read_all_levels(mount_t)
 mls_file_write_all_levels(mount_t)