[selinux-policy: 3069/3172] Search parent directory to be able to interact with targets content.

Thu Oct 7 23:33:02 UTC 2010

commit ddbd71a506260384a083bcfdd84993907c6e33ba
Author: Dominick Grift <domg472 at gmail.com>
Date:   Mon Sep 20 19:48:08 2010 +0200

    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.
    
    Search parent directory to be able to interact with targets content.

 policy/modules/services/postgresql.if |    2 ++
 policy/modules/services/postgrey.if   |    5 +++--
 policy/modules/services/ppp.if        |    3 +++
 policy/modules/services/qpidd.if      |    2 ++
 policy/modules/services/rhcs.if       |    1 +
 policy/modules/services/rhgb.if       |    1 +
 policy/modules/services/ricci.if      |    1 +
 policy/modules/services/rtkit.if      |    1 +
 8 files changed, 14 insertions(+), 2 deletions(-)
---

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 9284534..846518b 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -433,6 +433,7 @@ interface(`postgresql_admin',`
 	role_transition $2 postgresql_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_pids($1)
 	admin_pattern($1, postgresql_var_run_t)
 
 	files_list_var_lib($1)
@@ -444,6 +445,7 @@ interface(`postgresql_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, postgresql_log_t)
 
+	files_list_tmp($1)
 	admin_pattern($1, postgresql_tmp_t)
 
 	postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
index 70f9768..6f55445 100644
--- a/policy/modules/services/postgrey.if
+++ b/policy/modules/services/postgrey.if
@@ -15,9 +15,9 @@ interface(`postgrey_stream_connect',`
 		type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
 	')
 
-	stream_connect_pattern($1, postgrey_var_run_t, postgrey_var_run_t, postgrey_t)
-	stream_connect_pattern($1, postgrey_spool_t, postgrey_spool_t, postgrey_t)
+	stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
 	files_search_pids($1)
+	files_search_spool($1)
 ')
 
 ########################################
@@ -35,6 +35,7 @@ interface(`postgrey_search_spool',`
 		type postgrey_spool_t;
 	')
 
+	files_search_spool($1)
 	allow $1 postgrey_spool_t:dir search_dir_perms;
 ')
 
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 19d9b59..f88387a 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -281,6 +281,7 @@ interface(`ppp_read_pid_files',`
 		type pppd_var_run_t;
 	')
 
+	files_search_pids($1)
 	allow $1 pppd_var_run_t:file read_file_perms;
 ')
 
@@ -299,6 +300,7 @@ interface(`ppp_manage_pid_files',`
 		type pppd_var_run_t;
 	')
 
+	files_search_pids($1)
 	allow $1 pppd_var_run_t:file manage_file_perms;
 ')
 
@@ -375,6 +377,7 @@ interface(`ppp_admin',`
 	logging_list_logs($1)
 	admin_pattern($1, pppd_log_t)
 
+	files_list_locks($1)
 	admin_pattern($1, pppd_lock_t)
 
 	files_list_etc($1)
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
index 3102e24..c403abc 100644
--- a/policy/modules/services/qpidd.if
+++ b/policy/modules/services/qpidd.if
@@ -70,6 +70,7 @@ interface(`qpidd_manage_var_run',`
 		type qpidd_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
 	manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
 	manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
@@ -148,6 +149,7 @@ interface(`qpidd_manage_var_lib',`
 		type qpidd_var_lib_t;
 	')
 
+	files_search_var_lib($1)
 	manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 	manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
 	manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index b506c5b..229a3c7 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -426,6 +426,7 @@ interface(`rhcs_read_qdiskd_tmpfs_files',`
 		type qdiskd_tmpfs_t;
 	')
 
+	fs_search_tmpfs($1)
 	allow $1 qdiskd_tmpfs_t:file read_file_perms;
 ')
 
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 96efae7..793a29f 100644
--- a/policy/modules/services/rhgb.if
+++ b/policy/modules/services/rhgb.if
@@ -194,5 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
 		type rhgb_tmpfs_t;
 	')
 
+	fs_search_tmpfs($1)
 	allow $1 rhgb_tmpfs_t:file rw_file_perms;
 ')
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
index 236fd6d..53e3ac1 100644
--- a/policy/modules/services/ricci.if
+++ b/policy/modules/services/ricci.if
@@ -126,6 +126,7 @@ interface(`ricci_rw_modclusterd_tmpfs_files',`
 		type ricci_modcluserd_tmpfs_t;
 	')
 
+	fs_search_tmpfs($1)
 	allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
 ')
 
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
index 62d2628..f59cac5 100644
--- a/policy/modules/services/rtkit.if
+++ b/policy/modules/services/rtkit.if
@@ -75,6 +75,7 @@ interface(`rtkit_scheduled',`
 		type rtkit_daemon_t;
 	')
 
+	kernel_search_proc($1)
 	ps_process_pattern(rtkit_daemon_t, $1)
 	allow rtkit_daemon_t $1:process { getsched setsched };
 	rtkit_daemon_dbus_chat($1)
