On Mon, Feb 25, 2008 at 09:31:07AM -0500, Christopher J. PeBenito wrote: >... > Perhaps we should make sm-notify rpcd_exec_t and allow exec on that? A new patch attached. -- Zito
Index: policy/modules/services/rpc.fc =================================================================== --- policy/modules/services/rpc.fc (revision 2626) +++ policy/modules/services/rpc.fc (working copy) @@ -7,6 +7,7 @@ # /sbin # /sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) # # /usr Index: policy/modules/services/rpc.te =================================================================== --- policy/modules/services/rpc.te (revision 2626) +++ policy/modules/services/rpc.te (working copy) @@ -60,10 +60,15 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) +# rpc.statd executes sm-notify +corecmd_search_bin(rpcd_t) +can_exec(rpcd_t, rpcd_exec_t) + kernel_read_system_state(rpcd_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t)
