From 55facc96a85be54d39276890d45831a9ced69268 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Aug 07 2007 13:27:52 +0000
Subject: - Fix nagios cgi

- allow squid to communicate with winbind

---

diff --git a/policy-20070501.patch b/policy-20070501.patch
index 2fce2be..619e6ee 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -5490,22 +5490,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc	2007-08-01 16:25:39.000000000 -0400
-@@ -4,8 +4,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/nagios.fc	2007-08-06 19:11:52.000000000 -0400
+@@ -4,13 +4,13 @@
  /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
  /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
  
 -/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 -/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-+/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-+/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
++/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
  
  /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
  /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
+ 
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios		--	gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/lib/cgi-bin/nagios/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+ ')
++/usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.te	2007-07-31 16:39:53.000000000 -0400
-@@ -73,8 +73,10 @@
++++ serefpolicy-2.6.4/policy/modules/services/nagios.te	2007-08-06 19:16:40.000000000 -0400
+@@ -10,10 +10,6 @@
+ type nagios_exec_t;
+ init_daemon_domain(nagios_t,nagios_exec_t)
+ 
+-type nagios_cgi_t;
+-type nagios_cgi_exec_t;
+-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+-
+ type nagios_etc_t;
+ files_config_file(nagios_etc_t)
+ 
+@@ -73,8 +69,10 @@
  corenet_udp_sendrecv_all_nodes(nagios_t)
  corenet_tcp_sendrecv_all_ports(nagios_t)
  corenet_udp_sendrecv_all_ports(nagios_t)
@@ -5516,7 +5533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  
  domain_use_interactive_fds(nagios_t)
  # for ps
-@@ -97,8 +99,6 @@
+@@ -97,8 +95,6 @@
  
  miscfiles_read_localization(nagios_t)
  
@@ -5525,7 +5542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
  
-@@ -121,7 +121,7 @@
+@@ -121,7 +117,7 @@
  ')
  
  optional_policy(`
@@ -5534,6 +5551,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  ')
  
  optional_policy(`
+@@ -141,42 +137,31 @@
+ #
+ # Nagios CGI local policy
+ #
++apache_content_template(nagios)
++typealias httpd_nagios_script_t alias nagios_cgi_t;
++typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+ 
+-allow nagios_cgi_t self:process signal_perms;
+-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
+-
+-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+-
+-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
+-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
++allow httpd_nagios_script_t self:process signal_perms;
+ 
+-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
+-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
++read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
+ 
+-kernel_read_system_state(nagios_cgi_t)
++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
+ 
+-corecmd_exec_bin(nagios_cgi_t)
++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
+ 
+-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
++kernel_read_system_state(httpd_nagios_script_t)
+ 
+-files_read_etc_files(nagios_cgi_t)
+-files_read_etc_runtime_files(nagios_cgi_t)
+-files_read_kernel_symbol_table(nagios_cgi_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+ 
+-libs_use_ld_so(nagios_cgi_t)
+-libs_use_shared_libs(nagios_cgi_t)
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+ 
+-logging_send_syslog_msg(nagios_cgi_t)
+-logging_search_logs(nagios_cgi_t)
+-
+-miscfiles_read_localization(nagios_cgi_t)
+-
+-optional_policy(`
+-	apache_append_log(nagios_cgi_t)
+-')
++logging_send_syslog_msg(httpd_nagios_script_t)
+ 
+ ########################################
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.6.4/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc	2007-07-31 16:39:53.000000000 -0400
@@ -6498,7 +6575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  # for scripts
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.6.4/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/procmail.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/procmail.te	2007-08-06 18:56:39.000000000 -0400
 @@ -10,6 +10,7 @@
  type procmail_exec_t;
  domain_type(procmail_t)
@@ -6516,7 +6593,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  kernel_read_system_state(procmail_t)
  kernel_read_kernel_sysctls(procmail_t)
  
-@@ -101,9 +104,16 @@
+@@ -50,6 +53,7 @@
+ 
+ fs_getattr_xattr_fs(procmail_t)
+ fs_search_auto_mountpoints(procmail_t)
++fs_rw_anon_inodefs_files(procmail_t)
+ 
+ auth_use_nsswitch(procmail_t)
+ 
+@@ -101,9 +105,16 @@
  ')
  
  optional_policy(`
@@ -6533,7 +6618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
  
  optional_policy(`
-@@ -119,8 +129,13 @@
+@@ -119,8 +130,13 @@
  
  optional_policy(`
  	corenet_udp_bind_generic_port(procmail_t)
@@ -7230,7 +7315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te	2007-08-06 18:49:51.000000000 -0400
 @@ -28,6 +28,35 @@
  ## </desc>
  gen_tunable(samba_share_nfs,false)
@@ -7527,10 +7612,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow winbind_helper_t samba_var_t:dir search;
  
  stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -764,3 +838,23 @@
+@@ -763,4 +837,25 @@
+ optional_policy(`
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
- ')
++	squid_rw_stream_sockets(winbind_helper_t)
++')
 +
 +########################################
 +#
@@ -7549,7 +7636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 +tunable_policy(`samba_run_unconfined',`
 +	domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-+')
+ ')
 +unconfined_domain(samba_unconfined_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-05-07 14:51:01.000000000 -0400
@@ -7845,6 +7932,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  /var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
 +/usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 +/usr/lib64/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-2.6.4/policy/modules/services/squid.if
+--- nsaserefpolicy/policy/modules/services/squid.if	2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/squid.if	2007-08-06 18:50:10.000000000 -0400
+@@ -131,3 +131,22 @@
+ interface(`squid_use',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++##	Allow read and write squid
++##	unix domain stream sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`squid_rw_stream_sockets',`
++	gen_require(`
++		type squid_t;
++	')
++
++	allow $1 squid_t:unix_stream_socket { read write };
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/squid.te	2007-07-31 16:39:53.000000000 -0400
@@ -8492,7 +8605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te	2007-08-07 09:22:22.000000000 -0400
 @@ -9,6 +9,13 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -8516,7 +8629,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  dev_getattr_scanner_dev(pam_console_t)
  dev_setattr_scanner_dev(pam_console_t)
  dev_getattr_sound_dev(pam_console_t)
-@@ -244,7 +253,7 @@
+@@ -202,6 +211,7 @@
+ 
+ fs_list_auto_mountpoints(pam_console_t)
+ fs_list_noxattr_fs(pam_console_t)
++fs_getattr_all_fs(pam_console_t)
+ 
+ init_use_fds(pam_console_t)
+ init_use_script_ptys(pam_console_t)
+@@ -244,7 +254,7 @@
  
  optional_policy(`
  	xserver_read_xdm_pid(pam_console_t)
@@ -8525,7 +8646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ')
  
  ########################################
-@@ -252,15 +261,14 @@
+@@ -252,15 +262,14 @@
  # System check password local policy
  #
  
@@ -8543,7 +8664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
  userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
  userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
-@@ -302,6 +310,38 @@
+@@ -302,6 +311,38 @@
  ')
  
  optional_policy(`
@@ -9176,18 +9297,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc	2007-07-31 16:39:53.000000000 -0400
-@@ -81,8 +81,8 @@
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc	2007-08-07 09:13:21.000000000 -0400
+@@ -81,8 +81,9 @@
  /opt/cisco-vpnclient/lib/libvpnapi\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/cxoffice/lib/wine/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/ibm/java.*/jre/.+\.jar		--	gen_context(system_u:object_r:lib_t,s0)
++/opt/ibm/java.*/jre/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
-@@ -132,13 +132,16 @@
+@@ -132,13 +133,16 @@
  
  /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -9205,7 +9327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -157,6 +160,8 @@
+@@ -157,6 +161,8 @@
  /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -9214,7 +9336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  
  /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -254,6 +259,8 @@
+@@ -254,6 +260,8 @@
  /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f6fbc61..84d8038 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 33%{?dist}
+Release: 34%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Mon Aug 6 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-34
+- Fix nagios cgi
+- allow squid to communicate with winbind
+
 * Mon Aug 6 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-33
 - Allow mount to execute modprobe for ntfs mounts