[selinux-policy: 2358/3172] gpsd patch from Dan Walsh.

Thu Oct 7 22:29:21 UTC 2010

commit f37b7bd0cbde28c14dc84b443fb66f7d2579df97
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 7 08:59:38 2010 -0500

    gpsd patch from Dan Walsh.

 policy/modules/services/gpsd.fc |    7 ++++++-
 policy/modules/services/gpsd.if |    8 +-------
 policy/modules/services/gpsd.te |   16 +++++++++++++---
 3 files changed, 20 insertions(+), 11 deletions(-)
---

diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc
index e7bbeb1..5e81e33 100644
--- a/policy/modules/services/gpsd.fc
+++ b/policy/modules/services/gpsd.fc
@@ -1 +1,6 @@
-/usr/sbin/gpsd	--	gen_context(system_u:object_r:gpsd_exec_t,s0)
+/etc/rc\.d/init\.d/gpsd	--	gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
+/usr/sbin/gpsd		--	gen_context(system_u:object_r:gpsd_exec_t,s0)
+
+/var/run/gpsd\.pid	--	gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock	-s	gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if
index 7597332..39fc12f 100644
--- a/policy/modules/services/gpsd.if
+++ b/policy/modules/services/gpsd.if
@@ -33,11 +33,6 @@ interface(`gpsd_domtrans',`
 ##	The role to be allowed the gpsd domain.
 ##	</summary>
 ## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the role's terminal.
-##	</summary>
-## </param>
 #
 interface(`gpsd_run',`
 	gen_require(`
@@ -46,11 +41,10 @@ interface(`gpsd_run',`
 
 	gpsd_domtrans($1)
 	role $2 types gpsd_t;
-	allow gpsd_t $3:chr_file rw_term_perms;
 ')
 
 ########################################
-## <summary>    
+## <summary>
 ##	Read and write gpsd shared memory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 9cdc1f1..d8c1654 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -1,5 +1,5 @@
 
-policy_module(gpsd, 1.0.0)
+policy_module(gpsd, 1.0.1)
 
 ########################################
 #
@@ -11,15 +11,21 @@ type gpsd_exec_t;
 application_domain(gpsd_t, gpsd_exec_t)
 init_daemon_domain(gpsd_t, gpsd_exec_t)
 
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
+
 type gpsd_tmpfs_t;
 files_tmpfs_file(gpsd_tmpfs_t)
 
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
 ########################################
 #
 # gpsd local policy
 #
 
-allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:capability { fsetid setuid sys_nice setgid fowner };
 allow gpsd_t self:process setsched;
 allow gpsd_t self:shm create_shm_perms;
 allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -29,6 +35,10 @@ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
 fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
 
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
 corenet_all_recvfrom_unlabeled(gpsd_t)
 corenet_all_recvfrom_netlabel(gpsd_t)
 corenet_tcp_sendrecv_generic_if(gpsd_t)
@@ -51,5 +61,5 @@ optional_policy(`
 ')
 
 optional_policy(`
-	ntpd_rw_shm(gpsd_t)
+	ntp_rw_shm(gpsd_t)
 ')
