[selinux-policy: 2574/3172] Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh

[Daniel J Walsh]

commit 1d348bd253cac56a79a59639e54d401b4c99a0f6
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Mon Mar 22 13:25:07 2010 -0400

    Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh

 policy/modules/services/afs.if |    2 +-
 policy/modules/services/afs.te |    6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 6f926f7..28ad29c 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -94,7 +94,7 @@ interface(`afs_initrc_domtrans',`
 #
 interface(`afs_admin',`
 	gen_require(`
-		type afs_t;
+		type afs_t, afs_initrc_exec_t;
 	')
 
 	allow $1 afs_t:process { ptrace signal_perms getattr };
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 1bb54b6..60cc0d4 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -71,8 +71,8 @@ role system_r types afs_vlserver_t;
 # afs client local policy
 #
 
-allow afs_t self:capability { sys_nice sys_tty_config };
-allow afs_t self:process setsched;
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
+allow afs_t self:process { setsched signal };
 allow afs_t self:udp_socket create_socket_perms;
 allow afs_t self:fifo_file rw_file_perms;
 allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -105,6 +105,8 @@ logging_send_syslog_msg(afs_t)
 
 miscfiles_read_localization(afs_t)
 
+sysnet_dns_name_resolve(afs_t)
+
 ########################################
 #
 # AFS bossserver local policy