[selinux-policy: 2429/3172] Various afs fixes.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:35:34 UTC 2010
commit 534e57b770aa8f20463a10866ecc79d2d9a6ab08
Author: Dominick Grift <domg472 at gmail.com>
Date: Wed Feb 24 12:34:09 2010 +0100
Various afs fixes.
Fix afs_initrc_domtrans.
Remove obsolete require in afs_admin.
Allow domains to search var to enable read write cache.
Allow domains to search bin to enable run afs executable.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
Signed-off-by: Chris PeBenito <cpebenito at tresys.com>
policy/modules/services/afs.if | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 2a798ea..6f926f7 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -16,6 +16,7 @@ interface(`afs_domtrans',`
type afs_t, afs_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, afs_exec_t, afs_t)
')
@@ -52,6 +53,7 @@ interface(`afs_rw_cache',`
type afs_cache_t;
')
+ files_search_var($1)
allow $1 afs_cache_t:file { read write };
')
@@ -70,7 +72,7 @@ interface(`afs_initrc_domtrans',`
type afs_initrc_exec_t;
')
- init_script_domtrans_spec($1, afs_initrc_exec_t)
+ init_labeled_script_domtrans($1, afs_initrc_exec_t)
')
########################################
@@ -92,13 +94,13 @@ interface(`afs_initrc_domtrans',`
#
interface(`afs_admin',`
gen_require(`
- type afs_t, afs_initrc_exec_t;
+ type afs_t;
')
allow $1 afs_t:process { ptrace signal_perms getattr };
read_files_pattern($1, afs_t, afs_t)
- # Allow afs_t to restart the apache service
+ # Allow afs_admin to restart the afs service
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 afs_initrc_exec_t system_r;
More information about the scm-commits
mailing list