Add dirsrvadmin_lock_t type

diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
index c6cbc8052350d60c4d1bd44b7c5196cd294d677c..fdf5675efef72a8c1775c3a31eae626affb2a522 100644 (file)
--- a/policy/modules/services/dirsrv-admin.fc
+++ b/policy/modules/services/dirsrv-admin.fc
@@ -11,3 +11,5 @@
 
 /usr/lib/dirsrv/cgi-bin/ds_create    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
 /usr/lib/dirsrv/cgi-bin/ds_remove    --  gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+
+/var/lock/subsys/dirsrv      --  gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)

diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
index de5951eb7ed1c40d58f73641a2472f25fb839b65..1104d92b9b8f23a964d7a28a81302117da6b3f95 100644 (file)
--- a/policy/modules/services/dirsrv-admin.te
+++ b/policy/modules/services/dirsrv-admin.te
@@ -13,6 +13,9 @@ role system_r types dirsrvadmin_t;
 type dirsrvadmin_config_t;
 files_type(dirsrvadmin_config_t)
 
+type dirsrvadmin_lock_t;
+files_lock_file(dirsrvadmin_lock_t)
+
 type dirsrvadmin_tmp_t;
 files_tmp_file(dirsrvadmin_tmp_t)
 
@@ -77,6 +80,10 @@ optional_policy(`
        allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
        allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
 
+
+       manage_files_pattern(httpd_dirsrvadmin_script_t_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
+       files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
+
        kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
 
        corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)