From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 5 Dec 2011 11:28:21 +0000 (+0100)
Subject: More fixes for rhev_agentd_t consolehelper policy
X-Git-Tag: 000~42^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fb7966dd3b66856fb0d421927b3c7342f20db29d;p=people%2Fstevee%2Fselinux-policy.git

More fixes for rhev_agentd_t consolehelper policy
 * Allow dbus chat with unconfined, unconfined_dbusd_t
 * Backport RHEL6 fixes
---

diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
index 6c383561..d3473e67 100644
--- a/policy/modules/services/rhev.te
+++ b/policy/modules/services/rhev.te
@@ -73,9 +73,29 @@ optional_policy(`
 ')
 
 optional_policy(`
-	userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+   xserver_dbus_chat_xdm(rhev_agentd_t)
 ')
 
+######################################
+#
+# rhev_agentd_t consolehelper local policy
+#
+
 optional_policy(`
-   xserver_dbus_chat_xdm(rhev_agentd_t)
+	userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+
+	allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append;
+
+	can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
+	kernel_read_system_state(rhev_agentd_consolehelper_t)
+
+	term_use_virtio_console(rhev_agentd_consolehelper_t)
+
+	optional_policy(`
+		dbus_session_bus_client(rhev_agentd_consolehelper_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(rhev_agentd_consolehelper_t)
+	')
 ')