Make vdagent working with confined users

diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
index 83336ab56922dc6c6517cb4ae9c044e59b5b2b6e..764727910291e6e43f369ffb2365dd40aab6b521 100644 (file)
--- a/policy/modules/services/vdagent.if
+++ b/policy/modules/services/vdagent.if
@@ -1,6 +1,23 @@
 
 ## <summary>policy for vdagent</summary>
 
+#####################################
+## <summary>
+##  Getattr on vdagent executable.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`vdagent_getattr_exec',`
+    gen_require(`
+        type vdagent_exec_t;
+    ')
+
+    allow $1 vdagent_exec_t:file getattr;
+')
 
 ########################################
 ## <summary>
@@ -20,6 +37,24 @@ interface(`vdagent_domtrans',`
        domtrans_pattern($1, vdagent_exec_t, vdagent_t)
 ')
 
+#######################################
+## <summary>
+##  Get the attributes of vdagent logs.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`vdagent_getattr_log',`
+    gen_require(`
+        type vdagent_log_t;
+    ')
+
+    logging_search_logs($1)
+    allow $1 vdagent_log_t:file getattr_file_perms;
+')
 
 ########################################
 ## <summary>

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6bd7bd2db3fe4db82825a82a85020849f9993adb..76d6c05ebeab0479f517e66d3a83386475082eb9 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1309,6 +1309,12 @@ template(`userdom_unpriv_user_template', `
        optional_policy(`
                ppp_run_cond($1_t, $1_r)
        ')
+
+       optional_policy(`
+               vdagent_getattr_log($1_t)
+               vdagent_getattr_exec($1_t)
+               vdagent_stream_connect($1_t)
+       ')
 ')
 
 #######################################