[selinux-policy: 1559/3172] patch from Stefan for mrtg daemon operation.

Thu Oct 7 21:19:57 UTC 2010

commit 4846dc8ad4c29a105827c41a255033b54b6633cf
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 7 17:14:00 2006 +0000

    patch from Stefan for mrtg daemon operation.

 Changelog                       |    1 +
 policy/modules/admin/mrtg.fc    |    2 +-
 policy/modules/admin/mrtg.te    |   18 ++++++++++++++++--
 policy/modules/services/nscd.if |   18 ++++++++++++++++++
 policy/modules/services/nscd.te |    2 +-
 5 files changed, 37 insertions(+), 4 deletions(-)
---

diff --git a/Changelog b/Changelog
index 6e46a22..894fbf4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- MRTG patch for daemon operation from Stefan.
 - Add authlogin interface to abstract common access for login programs.
 - Remove setbool auditallow, except for RHEL4.
 - Change eventpollfs to task SID labeling.
diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc
index c59caa5..37fb953 100644
--- a/policy/modules/admin/mrtg.fc
+++ b/policy/modules/admin/mrtg.fc
@@ -15,4 +15,4 @@
 /var/lib/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_var_lib_t,s0)
 /var/lock/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_lock_t,s0)
 /var/log/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_log_t,s0)
-
+/var/run/mrtg\.pid		gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 3625067..8dcd535 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
 
-policy_module(mrtg,1.0.1)
+policy_module(mrtg,1.0.2)
 
 ########################################
 #
@@ -22,12 +22,15 @@ logging_log_file(mrtg_log_t)
 type mrtg_var_lib_t;
 files_type(mrtg_var_lib_t)
 
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mrtg_t self:capability { setgid setuid };
+allow mrtg_t self:capability { setgid setuid chown };
 dontaudit mrtg_t self:capability sys_tty_config;
 allow mrtg_t self:process signal_perms;
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -52,6 +55,9 @@ allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
 allow mrtg_t mrtg_var_lib_t:file create_file_perms;
 allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
 
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
+
 # read config files
 dontaudit mrtg_t mrtg_etc_t:dir write;
 dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
@@ -116,6 +122,10 @@ sysnet_read_config(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 userdom_use_sysadm_terms(mrtg_t)
 
+ifdef(`enable_mls',`
+	corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
 ifdef(`distro_redhat',`
 	allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
 	allow mrtg_t mrtg_lock_t:file create_file_perms;
@@ -145,6 +155,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nscd_dontaudit_search_pid(mrtg_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(mrtg_t)
 ')
 
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 84ea494..f72739d 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -127,6 +127,24 @@ interface(`nscd_shm_use',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+	gen_require(`
+		type nscd_var_run_t;
+	')
+
+	dontaudit $1 nscd_var_run_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Read NSCD pid file.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 9b679d0..a073fdf 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.7)
+policy_module(nscd,1.2.8)
 
 gen_require(`
 	class nscd all_nscd_perms;
