diff --git a/vdagent.fc b/vdagent.fc
index 394e9b3..45b6dde 100644
--- a/vdagent.fc
+++ b/vdagent.fc
@@ -1,7 +1,9 @@
+/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)
+
/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
diff --git a/vdagent.if b/vdagent.if
index e59a074..31c752e 100644
--- a/vdagent.if
+++ b/vdagent.if
@@ -1,4 +1,4 @@
-## policy for vdagent
+## Spice agent for Linux.
########################################
##
@@ -15,12 +15,13 @@ interface(`vdagent_domtrans',`
type vdagent_t, vdagent_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, vdagent_exec_t, vdagent_t)
')
#####################################
##
-## Getattr on vdagent executable.
+## Get attributes of vdagent executable files.
##
##
##
@@ -33,12 +34,12 @@ interface(`vdagent_getattr_exec_files',`
type vdagent_exec_t;
')
- allow $1 vdagent_exec_t:file getattr;
+ allow $1 vdagent_exec_t:file getattr_file_perms;
')
#######################################
##
-## Get the attributes of vdagent logs.
+## Get attributes of vdagent log files.
##
##
##
@@ -57,7 +58,7 @@ interface(`vdagent_getattr_log',`
########################################
##
-## Read vdagent PID files.
+## Read vdagent pid files.
##
##
##
@@ -76,8 +77,8 @@ interface(`vdagent_read_pid_files',`
#####################################
##
-## Connect to vdagent over a unix domain
-## stream socket.
+## Connect to vdagent with a unix
+## domain stream socket.
##
##
##
@@ -96,8 +97,8 @@ interface(`vdagent_stream_connect',`
########################################
##
-## All of the rules required to administrate
-## an vdagent environment
+## All of the rules required to
+## administrate an vdagent environment.
##
##
##
@@ -113,12 +114,21 @@ interface(`vdagent_stream_connect',`
#
interface(`vdagent_admin',`
gen_require(`
- type vdagent_t, vdagent_var_run_t;
+ type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t;
+ type vdagent_log_t;
')
allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
+ init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 vdagentd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, vdagent_log_t)
+
files_search_pids($1)
admin_pattern($1, vdagent_var_run_t)
')
diff --git a/vdagent.te b/vdagent.te
index 57578ae..77be35a 100644
--- a/vdagent.te
+++ b/vdagent.te
@@ -1,4 +1,4 @@
-policy_module(vdagent, 1.0.1)
+policy_module(vdagent, 1.0.2)
########################################
#
@@ -9,6 +9,9 @@ type vdagent_t;
type vdagent_exec_t;
init_daemon_domain(vdagent_t, vdagent_exec_t)
+type vdagentd_initrc_exec_t;
+init_script_file(vdagentd_initrc_exec_t)
+
type vdagent_var_run_t;
files_pid_file(vdagent_var_run_t)
@@ -17,13 +20,13 @@ logging_log_file(vdagent_log_t)
########################################
#
-# vdagent local policy
+# Local policy
#
dontaudit vdagent_t self:capability sys_admin;
-
+allow vdagent_t self:process signal;
allow vdagent_t self:fifo_file rw_fifo_file_perms;
-allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+allow vdagent_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
@@ -31,7 +34,9 @@ manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
-manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
dev_rw_input_dev(vdagent_t)
@@ -40,12 +45,18 @@ dev_dontaudit_write_mtrr(vdagent_t)
files_read_etc_files(vdagent_t)
+init_read_state(vdagent_t)
+
+logging_send_syslog_msg(vdagent_t)
+
miscfiles_read_localization(vdagent_t)
-optional_policy(`
- consolekit_dbus_chat(vdagent_t)
-')
+userdom_read_all_users_state(vdagent_t)
optional_policy(`
dbus_system_bus_client(vdagent_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(vdagent_t)
+ ')
')