More fixes for rhev_agentd_t consolehelper policy

 * Allow dbus chat with unconfined, unconfined_dbusd_t
 * Backport RHEL6 fixes

diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
index 6c38356191e5d9512ad331fa600d436be806f5b0..d3473e674a8923137cb0295cf20c357bc5bda952 100644 (file)
--- a/policy/modules/services/rhev.te
+++ b/policy/modules/services/rhev.te
@@ -73,9 +73,29 @@ optional_policy(`
 ')
 
 optional_policy(`
-       userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+   xserver_dbus_chat_xdm(rhev_agentd_t)
 ')
 
+######################################
+#
+# rhev_agentd_t consolehelper local policy
+#
+
 optional_policy(`
-   xserver_dbus_chat_xdm(rhev_agentd_t)
+       userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
+       allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append;
+
+       can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+       kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+       term_use_virtio_console(rhev_agentd_consolehelper_t)
+
+       optional_policy(`
+               dbus_session_bus_client(rhev_agentd_consolehelper_t)
+       ')
+
+       optional_policy(`
+               unconfined_dbus_chat(rhev_agentd_consolehelper_t)
+       ')
 ')