[selinux-policy: 1559/3172] patch from Stefan for mrtg daemon operation.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:19:57 UTC 2010
commit 4846dc8ad4c29a105827c41a255033b54b6633cf
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 7 17:14:00 2006 +0000
patch from Stefan for mrtg daemon operation.
Changelog | 1 +
policy/modules/admin/mrtg.fc | 2 +-
policy/modules/admin/mrtg.te | 18 ++++++++++++++++--
policy/modules/services/nscd.if | 18 ++++++++++++++++++
policy/modules/services/nscd.te | 2 +-
5 files changed, 37 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index 6e46a22..894fbf4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- MRTG patch for daemon operation from Stefan.
- Add authlogin interface to abstract common access for login programs.
- Remove setbool auditallow, except for RHEL4.
- Change eventpollfs to task SID labeling.
diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc
index c59caa5..37fb953 100644
--- a/policy/modules/admin/mrtg.fc
+++ b/policy/modules/admin/mrtg.fc
@@ -15,4 +15,4 @@
/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
-
+/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 3625067..8dcd535 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg,1.0.1)
+policy_module(mrtg,1.0.2)
########################################
#
@@ -22,12 +22,15 @@ logging_log_file(mrtg_log_t)
type mrtg_var_lib_t;
files_type(mrtg_var_lib_t)
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
########################################
#
# Local policy
#
-allow mrtg_t self:capability { setgid setuid };
+allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -52,6 +55,9 @@ allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
allow mrtg_t mrtg_var_lib_t:file create_file_perms;
allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
+
# read config files
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
@@ -116,6 +122,10 @@ sysnet_read_config(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
userdom_use_sysadm_terms(mrtg_t)
+ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
ifdef(`distro_redhat',`
allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
allow mrtg_t mrtg_lock_t:file create_file_perms;
@@ -145,6 +155,10 @@ optional_policy(`
')
optional_policy(`
+ nscd_dontaudit_search_pid(mrtg_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 84ea494..f72739d 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -127,6 +127,24 @@ interface(`nscd_shm_use',`
########################################
## <summary>
+## Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:dir search;
+')
+
+########################################
+## <summary>
## Read NSCD pid file.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 9b679d0..a073fdf 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.2.7)
+policy_module(nscd,1.2.8)
gen_require(`
class nscd all_nscd_perms;
More information about the scm-commits
mailing list