From 4846dc8ad4c29a105827c41a255033b54b6633cf Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 07 2006 17:14:00 +0000 Subject: patch from Stefan for mrtg daemon operation. --- diff --git a/Changelog b/Changelog index 6e46a22..894fbf4 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- MRTG patch for daemon operation from Stefan. - Add authlogin interface to abstract common access for login programs. - Remove setbool auditallow, except for RHEL4. - Change eventpollfs to task SID labeling. diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc index c59caa5..37fb953 100644 --- a/policy/modules/admin/mrtg.fc +++ b/policy/modules/admin/mrtg.fc @@ -15,4 +15,4 @@ /var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0) /var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0) /var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0) - +/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 3625067..8dcd535 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -1,5 +1,5 @@ -policy_module(mrtg,1.0.1) +policy_module(mrtg,1.0.2) ######################################## # @@ -22,12 +22,15 @@ logging_log_file(mrtg_log_t) type mrtg_var_lib_t; files_type(mrtg_var_lib_t) +type mrtg_var_run_t; +files_pid_file(mrtg_var_run_t) + ######################################## # # Local policy # -allow mrtg_t self:capability { setgid setuid }; +allow mrtg_t self:capability { setgid setuid chown }; dontaudit mrtg_t self:capability sys_tty_config; allow mrtg_t self:process signal_perms; allow mrtg_t self:fifo_file { getattr read write ioctl }; @@ -52,6 +55,9 @@ allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms; allow mrtg_t mrtg_var_lib_t:file create_file_perms; allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms; +allow mrtg_t mrtg_var_run_t:file manage_file_perms; +files_pid_filetrans(mrtg_t,mrtg_var_run_t,file) + # read config files dontaudit mrtg_t mrtg_etc_t:dir write; dontaudit mrtg_t mrtg_etc_t:file { write ioctl }; @@ -116,6 +122,10 @@ sysnet_read_config(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) userdom_use_sysadm_terms(mrtg_t) +ifdef(`enable_mls',` + corenet_udp_sendrecv_lo_if(mrtg_t) +') + ifdef(`distro_redhat',` allow mrtg_t mrtg_etc_t:dir rw_dir_perms; allow mrtg_t mrtg_lock_t:file create_file_perms; @@ -145,6 +155,10 @@ optional_policy(` ') optional_policy(` + nscd_dontaudit_search_pid(mrtg_t) +') + +optional_policy(` seutil_sigchld_newrole(mrtg_t) ') diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index 84ea494..f72739d 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -127,6 +127,24 @@ interface(`nscd_shm_use',` ######################################## ## +## Do not audit attempts to search the NSCD pid directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`nscd_dontaudit_search_pid',` + gen_require(` + type nscd_var_run_t; + ') + + dontaudit $1 nscd_var_run_t:dir search; +') + +######################################## +## ## Read NSCD pid file. ## ## diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 9b679d0..a073fdf 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.7) +policy_module(nscd,1.2.8) gen_require(` class nscd all_nscd_perms;