trunk: cvs update from dan.

policy/modules/services/cvs.if

@@ -36,3 +36,37 @@ interface(`cvs_exec',`
 
 	can_exec($1, cvs_exec_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cvs environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the cvs domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cvs_admin',`
+	gen_require(`
+		type cvs_t, cvs_tmp_t;
+		type cvs_data_t, cvs_var_run_t;
+		type cvs_initrc_exec_t;
+	')
+
+	allow $1 cvs_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cvs_t)
+	        
+	# Allow cvs_t to restart the apache service
+	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 cvs_initrc_exec_t system_r;
+	allow $2 system_r;
+')

policy/modules/services/cvs.te

@@ -1,5 +1,5 @@
 
-policy_module(cvs, 1.6.0)
+policy_module(cvs, 1.6.1)
 
 ########################################
 #
@@ -22,6 +22,9 @@ role system_r types cvs_t;
 type cvs_data_t; # customizable
 files_type(cvs_data_t)
 
+type cvs_initrc_exec_t;
+init_script_file(cvs_initrc_exec_t)
+
 type cvs_tmp_t;
 files_tmp_file(cvs_tmp_t)
 
@@ -69,6 +72,7 @@ dev_read_urand(cvs_t)
 fs_getattr_xattr_fs(cvs_t)
 
 auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
 
 corecmd_exec_bin(cvs_t)
 corecmd_exec_shell(cvs_t)
@@ -86,8 +90,6 @@ logging_send_audit_msgs(cvs_t)
 
 miscfiles_read_localization(cvs_t)
 
-sysnet_read_config(cvs_t)
-
 mta_send_mail(cvs_t)
 
 # cjp: typeattribute doesnt work in conditionals yet
@@ -97,16 +99,7 @@ tunable_policy(`allow_cvs_read_shadow',`
 ')
 
 optional_policy(`
-	kerberos_use(cvs_t)
 	kerberos_read_keytab(cvs_t)
 	kerberos_read_config(cvs_t)
 	kerberos_dontaudit_write_config(cvs_t)
 ')
-
-optional_policy(`
-	nis_use_ypbind(cvs_t)
-')
-
-optional_policy(`
-	nscd_socket_use(cvs_t)
-')