--- nsaserefpolicy/policy/modules/services/rwho.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rwho.fc 2008-08-14 13:53:54.000000000 -0400
@@ -3,3 +3,5 @@
/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
+
+/etc/rc.d/init.d/rwhod -- gen_context(system_u:object_r:rwho_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/rwho.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rwho.if 2008-08-14 13:53:54.000000000 -0400
@@ -118,6 +118,25 @@
########################################
##
+## Execute rwho server in the rwho domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+#
+interface(`rwho_script_domtrans',`
+ gen_require(`
+ type rwho_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, rwho_script_exec_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an rwho environment
##
@@ -131,14 +150,21 @@
interface(`rwho_admin',`
gen_require(`
type rwho_t, rwho_log_t, rwho_spool_t;
+ type rwho_script_exec_t;
')
allow $1 rwho_t:process { ptrace signal_perms getattr };
ps_process_pattern($1, rwho_t)
+ # Allow rwho_t to restart the apache service
+ rwho_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rwho_script_exec_t system_r;
+ allow $2 system_r;
+
logging_list_logs($1)
- manage_files_pattern($1, rwho_log_t, rwho_log_t)
+ admin_pattern($1, rwho_log_t)
files_list_spool($1)
- manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ admin_pattern($1, rwho_spool_t)
')
--- nsaserefpolicy/policy/modules/services/rwho.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rwho.te 2008-08-14 13:53:54.000000000 -0400
@@ -16,6 +16,9 @@
type rwho_spool_t;
files_type(rwho_spool_t)
+type rwho_script_exec_t;
+init_script_type(rwho_script_exec_t)
+
########################################
#
# rwho local policy