Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains Various apcupsd fixes.

Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains to search bin to enable run apcupsd executable file. Allow domains to search httpd system content to enable run apcupsd cgi script executables. Allow domains to search var to enable run apcupsd content in /var/www/upcupsd. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-02-24 13:21:15 +01:00 · 2010-02-24 13:21:15 +01:00 · eda6417669
commit eda6417669
parent 3b814894c7
1 changed files with 26 additions and 2 deletions
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@ -15,9 +15,28 @@ interface(`apcupsd_domtrans',`
 		type apcupsd_t, apcupsd_exec_t;
 	')

+	corecmd_search_bin($1)
 	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
 ')

+########################################
+## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+	gen_require(`
+		type apcupsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Read apcupsd PID files.
@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
 		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
 	')

+	optional_policy(`
+		apache_search_sys_content($1)
+	')
+
+	files_search_var($1)
 	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
 ')

@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t;
 		type apcupsd_log_t, apcupsd_lock_t;
-		type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+		type apcupsd_var_run_t;
 	')

 	allow $1 apcupsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, apcupsd_t)

-	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
 	allow $2 system_r;