Various afs fixes.

Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>

policy/modules/services/afs.if

@@ -16,6 +16,7 @@ interface(`afs_domtrans',`
 		type afs_t, afs_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, afs_exec_t, afs_t)
 ')
 
@@ -52,6 +53,7 @@ interface(`afs_rw_cache',`
 		type afs_cache_t;
 	')
 
+	files_search_var($1)
 	allow $1 afs_cache_t:file { read write };
 ')
 
@@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',`
 		type afs_initrc_exec_t;
 	')
 
-	init_script_domtrans_spec($1, afs_initrc_exec_t)
+	init_labeled_script_domtrans($1, afs_initrc_exec_t)
 ')
 
 ########################################
@@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',`
 #
 interface(`afs_admin',`
 	gen_require(`
-		type afs_t, afs_initrc_exec_t;
+		type afs_t;
 	')
 
 	allow $1 afs_t:process { ptrace signal_perms getattr };
 	read_files_pattern($1, afs_t, afs_t)
 
-	# Allow afs_t to restart the apache service
+	# Allow afs_admin to restart the afs service
 	afs_initrc_domtrans($1)
 	domain_system_change_exemption($1)
 	role_transition $2 afs_initrc_exec_t system_r;