[selinux-policy: 2086/3172] trunk: Drop write permission from fs_read_rpc_sockets().

[Daniel J Walsh]

commit 156204a3853857c16591820f69ca34d9f1758919
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Feb 24 20:00:15 2009 +0000

    trunk: Drop write permission from fs_read_rpc_sockets().

 Changelog                           |    1 +
 policy/modules/kernel/filesystem.if |   18 ++++++++++++++++++
 policy/modules/kernel/filesystem.te |    2 +-
 policy/modules/services/rpc.te      |    6 +++---
 4 files changed, 23 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index 95db6c1..6c85f15 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Drop write permission from fs_read_rpc_sockets().
 - Remove unused udev_runtime_t type.
 - Patch for RadSec port from Glen Turner.
 - Enable network_peer_controls policy capability from Paul Moore.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 98607ab..16c72d7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1935,6 +1935,24 @@ interface(`fs_read_rpc_sockets',`
 		type rpc_pipefs_t;
 	')
 
+	allow $1 rpc_pipefs_t:sock_file read;
+')
+
+########################################
+## <summary>
+##	Read and write sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_rpc_sockets',`
+	gen_require(`
+		type rpc_pipefs_t;
+	')
+
 	allow $1 rpc_pipefs_t:sock_file { read write };
 ')
 
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index a95ed4b..cf66fb4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.11.1)
+policy_module(filesystem, 1.11.2)
 
 ########################################
 #
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 02c3fcd..012cb34 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
 
-policy_module(rpc, 1.10.2)
+policy_module(rpc, 1.10.3)
 
 ########################################
 #
@@ -76,7 +76,7 @@ files_manage_mounttab(rpcd_t)
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
 fs_read_rpc_symlinks(rpcd_t)
-fs_read_rpc_sockets(rpcd_t) 
+fs_rw_rpc_sockets(rpcd_t) 
 
 selinux_dontaudit_read_fs(rpcd_t)
 
@@ -163,7 +163,7 @@ kernel_search_network_sysctl(gssd_t)
 corecmd_exec_bin(gssd_t)
 
 fs_list_rpc(gssd_t) 
-fs_read_rpc_sockets(gssd_t) 
+fs_rw_rpc_sockets(gssd_t) 
 fs_read_rpc_files(gssd_t) 
 
 files_list_tmp(gssd_t)