diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc index e7bbeb1..5e81e33 100644 --- a/policy/modules/services/gpsd.fc +++ b/policy/modules/services/gpsd.fc @@ -1 +1,6 @@ -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if index 7597332..39fc12f 100644 --- a/policy/modules/services/gpsd.if +++ b/policy/modules/services/gpsd.if @@ -33,11 +33,6 @@ interface(`gpsd_domtrans',` ## The role to be allowed the gpsd domain. ## ## -## -## -## The type of the role's terminal. -## -## # interface(`gpsd_run',` gen_require(` @@ -46,11 +41,10 @@ interface(`gpsd_run',` gpsd_domtrans($1) role $2 types gpsd_t; - allow gpsd_t $3:chr_file rw_term_perms; ') ######################################## -## +## ## Read and write gpsd shared memory. ## ## diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te index 9cdc1f1..d8c1654 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -1,5 +1,5 @@ -policy_module(gpsd, 1.0.0) +policy_module(gpsd, 1.0.1) ######################################## # @@ -11,15 +11,21 @@ type gpsd_exec_t; application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) +type gpsd_initrc_exec_t; +init_script_file(gpsd_initrc_exec_t) + type gpsd_tmpfs_t; files_tmpfs_file(gpsd_tmpfs_t) +type gpsd_var_run_t; +files_pid_file(gpsd_var_run_t) + ######################################## # # gpsd local policy # -allow gpsd_t self:capability { setuid sys_nice setgid fowner }; +allow gpsd_t self:capability { fsetid setuid sys_nice setgid fowner }; allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -29,6 +35,10 @@ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) +manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) +files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + corenet_all_recvfrom_unlabeled(gpsd_t) corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) @@ -51,5 +61,5 @@ optional_policy(` ') optional_policy(` - ntpd_rw_shm(gpsd_t) + ntp_rw_shm(gpsd_t) ')