[selinux-policy: 2737/3172] Netutils patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:03:32 UTC 2010 

commit 9a4d292902c6a0400252e3d86d42c49b7a9d55a2
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 17 10:16:19 2010 -0400

    Netutils patch from Dan Walsh.
    
    ping gets leaked log descriptor from nagios.
    
    Label send_arp as ping_exec_t

 policy/modules/admin/netutils.fc  |    1 +
 policy/modules/admin/netutils.te  |    3 ++-
 policy/modules/services/nagios.if |   18 ++++++++++++++++++
 policy/modules/services/nagios.te |    2 +-
 4 files changed, 22 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index dda1928..407078f 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -11,4 +11,5 @@
 /usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e9d7e88..b687b5d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.10.0)
+policy_module(netutils, 1.10.1)
 
 ########################################
 #
@@ -143,6 +143,7 @@ ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 
 	optional_policy(`
+		nagios_dontaudit_rw_log(ping_t)
 		nagios_dontaudit_rw_pipes(ping_t)
 	')
 ')
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 72d79a5..b487ec9 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -102,6 +102,24 @@ interface(`nagios_read_log',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read or write nagios logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_log',`
+	gen_require(`
+		type nagios_log_t;
+	')
+
+	dontaudit $1 nagios_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Search nagios spool directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 494fb51..da5b33d 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.9.0)
+policy_module(nagios, 1.9.1)
 
 ########################################
 #

More information about the scm-commits mailing list