[selinux-policy: 2858/3172] Allow certmaster to read usr_t files. All python apps are going to need this. clvmd creates tmpfs f

Thu Oct 7 23:14:27 UTC 2010

commit a668127367f5520f538b7f42ae4431aa19b05cef
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Sep 2 13:38:00 2010 -0400

    Allow certmaster to read usr_t files.  All python apps are going to need this.
    clvmd creates tmpfs files that corosync needs to communicate with
    Allow dbus system services to search the cgroup_t directory

 policy/modules/services/certmaster.te |    1 +
 policy/modules/services/corosync.te   |    4 ++++
 policy/modules/services/dbus.if       |    2 ++
 policy/modules/services/rlogin.te     |    1 +
 policy/modules/system/lvm.if          |   18 ++++++++++++++++++
 policy/modules/system/lvm.te          |    7 +++++++
 6 files changed, 33 insertions(+), 0 deletions(-)
---

diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 1573914..6e32117 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
 corenet_tcp_bind_certmaster_port(certmaster_t)
 
 files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
 files_list_var(certmaster_t)
 files_search_var_lib(certmaster_t)
 
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 317b025..9d97456 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -111,6 +111,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_rw_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
 	# to communication with RHCS
 	rhcs_rw_cluster_shm(corosync_t)
 	rhcs_rw_cluster_semaphores(corosync_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index a93e5ca..4ab36ba 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -442,6 +442,8 @@ interface(`dbus_system_domain',`
 
 	domtrans_pattern(system_dbusd_t, $2, $1)
 
+	fs_search_cgroup_dirs($1)
+
 	dbus_system_bus_client($1)
 	dbus_connect_system_bus($1)
 
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index a142c36..29a5d0d 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -70,6 +70,7 @@ fs_search_auto_mountpoints(rlogind_t)
 auth_domtrans_chk_passwd(rlogind_t)
 auth_rw_login_records(rlogind_t)
 auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
 
 files_read_etc_files(rlogind_t)
 files_read_etc_runtime_files(rlogind_t)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..b4f0663 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -123,3 +123,21 @@ interface(`lvm_domtrans_clvmd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
 ')
+
+########################################
+## <summary>
+##	Read and write to lvm temporary file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lvm_rw_clvmd_tmpfs_files',`
+	gen_require(`
+		type clvmd_tmpfs_t;
+	')
+
+	allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 4eef596..7eb67d1 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
 type clvmd_initrc_exec_t;
 init_script_file(clvmd_initrc_exec_t)
 
+type clmvd_tmpfs_t;
+files_tmpfs_file(clmvd_tmpfs_t)
+
 type clvmd_var_run_t;
 files_pid_file(clvmd_var_run_t)
 
@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow clvmd_t self:tcp_socket create_stream_socket_perms;
 allow clvmd_t self:udp_socket create_socket_perms;
 
+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t)
+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file })
+
 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
 files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
 
