From eda6417669efbb0dca4c51be1e0869c7a84e7acd Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Mar 04 2010 14:18:03 +0000
Subject: Create apcupsd initrc domtrans. Call apcupsd initrc domtrans in apcupsd_admin. Remove obsolete require. Allow domains Various apcupsd fixes.


Create apcupsd initrc domtrans.
Call apcupsd initrc domtrans in apcupsd_admin.
Remove obsolete require.
Allow domains to search bin to enable run apcupsd executable file.
Allow domains to search httpd system content to enable run apcupsd cgi script executables.
Allow domains to search var to enable run apcupsd content in /var/www/upcupsd.

Signed-off-by: Dominick Grift <domg472@gmail.com>

---

diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
index f30bf31..21eb32c 100644
--- a/policy/modules/services/apcupsd.if
+++ b/policy/modules/services/apcupsd.if
@@ -15,11 +15,30 @@ interface(`apcupsd_domtrans',`
 		type apcupsd_t, apcupsd_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
 ')
 
 ########################################
 ## <summary>
+##	Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+	gen_require(`
+		type apcupsd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read apcupsd PID files.
 ## </summary>
 ## <param name="domain">
@@ -94,6 +113,11 @@ interface(`apcupsd_cgi_script_domtrans',`
 		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
 	')
 
+	optional_policy(`
+		apache_search_sys_content($1)
+	')
+
+	files_search_var($1)
 	domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
 ')
 
@@ -118,13 +142,13 @@ interface(`apcupsd_admin',`
 	gen_require(`
 		type apcupsd_t, apcupsd_tmp_t;
 		type apcupsd_log_t, apcupsd_lock_t;
-		type apcupsd_var_run_t, apcupsd_initrc_exec_t;
+		type apcupsd_var_run_t;
 	')
 
 	allow $1 apcupsd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, apcupsd_t)
 
-	init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
 	allow $2 system_r;