From ad798591a5b5ab174983678aa8aabfe4d32a8ce9 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: May 31 2010 16:15:58 +0000
Subject: - Fixes for nagios
---
diff --git a/policy-20100106.patch b/policy-20100106.patch
index 235c007..e6ae829 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -778,7 +778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100
-+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-05-31 17:45:06.948362135 +0200
@@ -132,6 +132,8 @@
kernel_read_system_state(ping_t)
@@ -788,7 +788,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ping_t)
logging_send_syslog_msg(ping_t)
-@@ -158,6 +160,10 @@
+@@ -144,6 +146,7 @@
+ init_dontaudit_use_fds(ping_t)
+
+ optional_policy(`
++ nagios_dontaudit_rw_log(ping_t)
+ nagios_dontaudit_rw_pipes(ping_t)
+ ')
+ ')
+@@ -158,6 +161,10 @@
')
optional_policy(`
@@ -1644,10 +1652,82 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.32/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/gpg.if 2010-05-31 17:31:03.749362017 +0200
+@@ -95,3 +95,41 @@
+
+ allow $1 gpg_t:process signal;
+ ')
++
++######################################
++##
++## Transition to a gpg web domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gpg_domtrans_web',`
++ gen_require(`
++ type gpg_web_t, gpg_exec_t;
++ ')
++
++ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
++')
++
++######################################
++##
++## Make gpg an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which cifs_t is an entrypoint.
++##
++##
++#
++interface(`gpg_entry_type',`
++ gen_require(`
++ type gpg_exec_t;
++ ')
++
++ domain_entry_file($1, gpg_exec_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-04-16 09:30:55.883864721 +0200
-@@ -111,11 +111,7 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-05-31 17:30:37.334111230 +0200
+@@ -14,6 +14,14 @@
+ ##
+ gen_tunable(gpg_agent_env_file, false)
+
++##
++##
++## Allow gpg web domain to modify public files
++## used for public file transfer services.
++##
++##
++gen_tunable(gpg_web_anon_write, false)
++
+ type gpg_t;
+ type gpg_exec_t;
+ typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+@@ -53,6 +61,11 @@
+ application_domain(gpg_pinentry_t, pinentry_exec_t)
+ ubac_constrained(gpg_pinentry_t)
+
++type gpg_web_t;
++domain_type(gpg_web_t)
++gpg_entry_type(gpg_web_t)
++role system_r types gpg_web_t;
++
+ ########################################
+ #
+ # GPG local policy
+@@ -111,11 +124,7 @@
mta_write_config(gpg_t)
userdom_use_user_terminals(gpg_t)
@@ -1660,7 +1740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -156,6 +152,7 @@
+@@ -156,6 +165,7 @@
# sign/encrypt user files
userdom_manage_user_tmp_files(gpg_t)
userdom_manage_user_home_content_files(gpg_t)
@@ -1668,7 +1748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -185,6 +182,8 @@
+@@ -185,6 +195,8 @@
# GPG agent local policy
#
@@ -1677,7 +1757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# rlimit: gpg-agent wants to prevent coredumps
allow gpg_agent_t self:process setrlimit;
-@@ -205,6 +204,7 @@
+@@ -205,6 +217,7 @@
# allow gpg to connect to the gpg agent
stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
@@ -1685,12 +1765,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_search_bin(gpg_agent_t)
domain_use_interactive_fds(gpg_agent_t)
-@@ -271,6 +271,6 @@
+@@ -271,6 +284,26 @@
')
optional_policy(`
- xserver_common_app(gpg_pinentry_t)
+ xserver_stream_connect(gpg_pinentry_t)
++')
++
++#############################
++#
++# gpg web local policy
++#
++
++allow gpg_web_t self:process setrlimit;
++
++can_exec(gpg_web_t, gpg_exec_t)
++
++files_read_usr_files(gpg_web_t)
++
++miscfiles_read_localization(gpg_web_t)
++
++apache_dontaudit_rw_tmp_files(gpg_web_t)
++apache_manage_sys_content_rw(gpg_web_t)
++
++tunable_policy(`gpg_web_anon_write',`
++ miscfiles_manage_public_files(gpg_web_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if
@@ -2157,7 +2257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-04-21 14:10:04.244409189 +0200
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-05-31 10:35:24.189362243 +0200
@@ -1,5 +1,5 @@
-policy_module(pulseaudio, 1.0.1)
@@ -2214,8 +2314,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
-@@ -54,8 +81,8 @@
+@@ -52,10 +79,11 @@
+
+ fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
++fs_read_tmpfs_files(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
-term_use_all_user_ttys(pulseaudio_t)
@@ -2225,7 +2328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(pulseaudio_t)
-@@ -63,6 +90,8 @@
+@@ -63,6 +91,8 @@
miscfiles_read_localization(pulseaudio_t)
@@ -2234,7 +2337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
')
-@@ -72,6 +101,8 @@
+@@ -72,6 +102,8 @@
')
optional_policy(`
@@ -2243,7 +2346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
-@@ -105,10 +136,13 @@
+@@ -105,10 +137,13 @@
optional_policy(`
udev_read_db(pulseaudio_t)
@@ -6027,6 +6130,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_pulseaudio_port(xguest_usertype)
corenet_all_recvfrom_unlabeled(xguest_usertype)
corenet_all_recvfrom_netlabel(xguest_usertype)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc
+--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-01-18 18:24:22.725543271 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2010-05-31 18:07:17.167111902 +0200
+@@ -13,5 +13,7 @@
+ /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+-/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+ /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100
@@ -6044,7 +6159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-04-16 09:34:12.464614739 +0200
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-05-31 17:54:25.188362074 +0200
@@ -96,16 +96,19 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -6098,7 +6213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
permissive abrt_t;
########################################
-@@ -183,7 +201,7 @@
+@@ -183,12 +201,13 @@
# abrt--helper local policy
#
@@ -6107,7 +6222,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow abrt_helper_t self:process signal;
read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
-@@ -200,10 +218,16 @@
+ domain_read_all_domains_state(abrt_helper_t)
+
++files_search_spool(abrt_helper_t)
+ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -200,10 +219,16 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
@@ -6216,7 +6337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(amavis_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-23 13:02:01.304641071 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-05-31 17:36:34.710362091 +0200
@@ -8,10 +8,12 @@
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
@@ -6238,13 +6359,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
-@@ -66,11 +69,14 @@
+@@ -66,11 +69,15 @@
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -6254,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-@@ -82,6 +88,8 @@
+@@ -82,6 +89,8 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -6263,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -108,6 +116,7 @@
+@@ -108,6 +117,7 @@
/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
@@ -6273,7 +6395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-11 17:59:31.278624767 +0200
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-31 18:00:35.141362064 +0200
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
@@ -6327,7 +6449,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Allow the specified domain to manage
-@@ -1112,6 +1137,45 @@
+@@ -857,6 +882,29 @@
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ ')
+
++######################################
++##
++## Allow the specified domain to manage
++## apache system content rw files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`apache_manage_sys_content_rw',`
++ gen_require(`
++ type httpd_sys_content_rw_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
++ manage_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
++ manage_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to delete
+@@ -1112,6 +1160,64 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
@@ -6351,6 +6503,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
++######################################
++##
++## Dontaudit attempts to read and write
++## apache tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type httpd_tmp_t;
++ ')
++
++ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
+#######################################
+##
+## Dontaudit attempts to write
@@ -6373,7 +6544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Execute CGI in the specified domain.
-@@ -1167,6 +1231,29 @@
+@@ -1167,6 +1273,29 @@
allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
')
@@ -6405,7 +6576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-04-06 08:21:30.569541120 +0200
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-05-31 17:35:23.798361783 +0200
@@ -67,6 +67,13 @@
##
@@ -6420,7 +6591,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
-@@ -309,7 +316,7 @@
+@@ -154,6 +161,13 @@
+
+ ##
+ ##
++## Allow httpd to run gpg in gpg-web domain
++##
++##
++gen_tunable(httpd_use_gpg, false)
++
++##
++##
+ ## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t.
+ ##
+ ##
+@@ -309,7 +323,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -6429,7 +6614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -351,7 +358,8 @@
+@@ -351,7 +365,8 @@
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -6439,7 +6624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -363,10 +371,10 @@
+@@ -363,10 +378,10 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -6452,7 +6637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -400,7 +408,9 @@
+@@ -400,7 +415,9 @@
dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
@@ -6462,7 +6647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_iso9660_files(httpd_t)
auth_use_nsswitch(httpd_t)
-@@ -458,6 +468,7 @@
+@@ -458,6 +475,7 @@
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chkpwd(httpd_t)
@@ -6470,7 +6655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##
-@@ -483,8 +494,14 @@
+@@ -483,8 +501,14 @@
corenet_tcp_connect_pop_port(httpd_t)
corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
@@ -6486,7 +6671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_can_network_relay',`
-@@ -588,6 +605,9 @@
+@@ -588,6 +612,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -6496,7 +6681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -612,6 +632,11 @@
+@@ -612,6 +639,17 @@
avahi_dbus_chat(httpd_t)
')
')
@@ -6505,10 +6690,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gitosis_read_var_lib(httpd_t)
+')
+
++optional_policy(`
++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
++ gpg_domtrans_web(httpd_t)
++ ')
++')
++
optional_policy(`
kerberos_keytab_template(httpd, httpd_t)
')
-@@ -756,8 +781,14 @@
+@@ -756,8 +794,14 @@
corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
corenet_tcp_connect_mysqld_port(httpd_suexec_t)
corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
@@ -6524,7 +6715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
mysql_stream_connect(httpd_php_t)
-@@ -895,6 +926,9 @@
+@@ -895,6 +939,9 @@
sysnet_read_config(httpd_sys_script_t)
@@ -6534,7 +6725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -906,6 +940,7 @@
+@@ -906,6 +953,7 @@
fs_manage_nfs_files(httpd_sys_script_t)
fs_manage_nfs_symlinks(httpd_sys_script_t)
fs_exec_nfs_files(httpd_sys_script_t)
@@ -6542,7 +6733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_nfs_dirs(httpd_suexec_t)
fs_manage_nfs_files(httpd_suexec_t)
-@@ -945,6 +979,7 @@
+@@ -945,6 +992,7 @@
fs_manage_cifs_files(httpd_suexec_t)
fs_manage_cifs_symlinks(httpd_suexec_t)
fs_exec_cifs_files(httpd_suexec_t)
@@ -10835,11 +11026,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100
-@@ -119,6 +119,26 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-05-31 17:45:40.693112592 +0200
+@@ -119,6 +119,44 @@
read_files_pattern($1, nagios_log_t, nagios_log_t)
')
++####################################
++##
++## dontaudit Read and write nagios logs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`nagios_dontaudit_rw_log',`
++ gen_require(`
++ type nagios_log_t;
++ ')
++
++ dontaudit $1 nagios_log_t:file { read write };
++')
++
+#######################################
+##
+## Allow the specified domain to read
@@ -10863,7 +11072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create a set of derived types for various
-@@ -134,6 +154,7 @@
+@@ -134,6 +172,7 @@
gen_require(`
type nagios_t, nrpe_t;
@@ -10871,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
type nagios_$1_plugin_t;
-@@ -150,8 +171,15 @@
+@@ -150,8 +189,15 @@
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
@@ -10889,7 +11098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-19 07:58:48.047611543 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-05-31 17:44:49.383361808 +0200
@@ -45,10 +45,18 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
@@ -10949,7 +11158,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -253,6 +264,11 @@
+@@ -133,9 +144,6 @@
+ fs_getattr_all_fs(nagios_t)
+ fs_search_auto_mountpoints(nagios_t)
+
+-# for who
+-init_read_utmp(nagios_t)
+-
+ auth_use_nsswitch(nagios_t)
+
+ logging_send_syslog_msg(nagios_t)
+@@ -148,12 +156,6 @@
+ mta_send_mail(nagios_t)
+
+ optional_policy(`
+- netutils_domtrans_ping(nagios_t)
+- netutils_signal_ping(nagios_t)
+- netutils_kill_ping(nagios_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(nagios_t)
+ ')
+
+@@ -253,6 +255,11 @@
')
optional_policy(`
@@ -10961,7 +11193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(nrpe_t)
')
-@@ -264,6 +280,66 @@
+@@ -264,6 +271,66 @@
udev_read_db(nrpe_t)
')
@@ -11028,7 +11260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################
#
-@@ -290,6 +366,8 @@
+@@ -290,6 +357,8 @@
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -11037,7 +11269,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(nagios_services_plugin_t)
corenet_tcp_connect_all_ports(nagios_services_plugin_t)
-@@ -315,6 +393,10 @@
+@@ -309,12 +378,18 @@
+
+ optional_policy(`
+ netutils_domtrans_ping(nagios_services_plugin_t)
++ netutils_signal_ping(nagios_services_plugin_t)
++ netutils_kill_ping(nagios_services_plugin_t)
+ ')
+
+ optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 50f29f0..b739ff3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 116%{?dist}
+Release: 117%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Mon May 31 2010 Miroslav Grepl 3.6.32-117
+- Fixes for nagios
+
* Fri May 21 2010 Miroslav Grepl 3.6.32-116
- Allow denyhosts to connect to tcp port 9911
- Fixes for munin