Merge pull request #867 from PPN-SD/upd-knot-sel

Add setcap to knotd / add knotc_initrc_domtrans

policy/modules/services/knot.if

@@ -45,6 +45,25 @@ interface(`knot_run_client',`
 	roleattribute $2 knot_roles;
 ')
 
+########################################
+## <summary>
+##      Execute knotc in knot init
+##      scripts in the initrc domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`knotc_initrc_domtrans',`
+        gen_require(`
+                type knot_initrc_exec_t;
+        ')
+
+        init_labeled_script_domtrans($1, knot_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##      Read knot config files.

policy/modules/services/knot.te

@@ -38,7 +38,7 @@ files_type(knot_var_lib_t)
 #
 
 allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
-allow knotd_t self:process { getcap getsched setsched signal_perms };
+allow knotd_t self:process { getcap getsched setcap setsched signal_perms };
 allow knotd_t self:tcp_socket create_stream_socket_perms;
 allow knotd_t self:udp_socket create_socket_perms;
 allow knotd_t self:unix_stream_socket create_stream_socket_perms;