diff --git a/policy-20070501.patch b/policy-20070501.patch
index a908086..9508709 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -1970,7 +1970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-14 08:16:29.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2021,7 +2021,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -992,7 +1008,7 @@
+@@ -890,6 +906,8 @@
+ attribute file_type;
+ ')
+
++ # Have to be able to read badly labeled files like file_context and ld.so.cache
++ files_read_all_files($1)
+ allow $1 { file_type $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
+@@ -992,7 +1010,7 @@
attribute file_type;
')
@@ -2030,7 +2039,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -1320,7 +1336,7 @@
+@@ -1111,6 +1129,24 @@
+
+ ########################################
+ ##
++## search all mount points.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_search_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the root directory.
+ ##
+ ##
+@@ -1320,7 +1356,7 @@
type boot_t;
')
@@ -2039,7 +2073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3310,6 +3326,24 @@
+@@ -3310,6 +3346,24 @@
########################################
##
@@ -2064,7 +2098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Get the attributes of files in /usr.
##
##
-@@ -3386,6 +3420,24 @@
+@@ -3386,6 +3440,24 @@
########################################
##
@@ -2089,7 +2123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Read symbolic links in /usr.
##
##
-@@ -3432,6 +3484,24 @@
+@@ -3432,6 +3504,24 @@
########################################
##
@@ -2114,7 +2148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Do not audit attempts to search /usr/src.
##
##
-@@ -3637,7 +3707,7 @@
+@@ -3637,7 +3727,7 @@
type var_t;
')
@@ -2123,7 +2157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -3993,7 +4063,7 @@
+@@ -3993,7 +4083,7 @@
type var_lock_t;
')
@@ -2132,7 +2166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4012,7 +4082,7 @@
+@@ -4012,7 +4102,7 @@
type var_t, var_lock_t;
')
@@ -2141,7 +2175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4181,7 +4251,7 @@
+@@ -4181,7 +4271,7 @@
type var_run_t;
')
@@ -2150,7 +2184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4529,6 +4599,8 @@
+@@ -4529,6 +4619,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2159,7 +2193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4551,6 +4623,8 @@
+@@ -4551,6 +4643,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2168,7 +2202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4588,3 +4662,28 @@
+@@ -4588,3 +4682,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3046,7 +3080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-14 06:47:44.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -3243,7 +3277,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-@@ -606,6 +673,8 @@
+@@ -486,7 +553,6 @@
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
+- nagios_domtrans_cgi(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -606,6 +672,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3252,7 +3294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +737,12 @@
+@@ -668,6 +736,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3265,21 +3307,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -689,13 +764,6 @@
- nagios_domtrans_cgi(httpd_suexec_t)
+@@ -685,18 +759,6 @@
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
+- nagios_domtrans_cgi(httpd_suexec_t)
+-')
+-
+-optional_policy(`
- nis_use_ypbind(httpd_suexec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_suexec_t)
-')
-
+-
########################################
#
-@@ -706,7 +774,8 @@
+ # Apache system script local policy
+@@ -706,7 +768,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3289,7 +3336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +789,64 @@
+@@ -720,21 +783,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3309,15 +3356,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -3359,23 +3406,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +866,8 @@
+@@ -754,14 +860,8 @@
# Apache unconfined script local policy
#
-unconfined_domain(httpd_unconfined_script_t)
-
- optional_policy(`
+-optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
--optional_policy(`
+ optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
')
########################################
-@@ -784,7 +890,26 @@
+@@ -784,7 +884,26 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -4632,7 +4679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-13 07:17:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-14 08:16:15.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -4664,6 +4711,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
+@@ -98,7 +104,7 @@
+ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+-files_getattr_all_mountpoints(dovecot_t)
++files_search_all_mountpoints(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
+
@@ -110,9 +116,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -5336,7 +5392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-2.6.4/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mailman.te 2007-08-13 19:33:45.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mailman.te 2007-08-13 19:39:50.000000000 -0400
@@ -55,6 +55,7 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0ee47d1..7c2b53f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
%endif
%changelog
+* Tue Aug 13 2007 Dan Walsh 2.6.4-38
+- Fix nagios_cgi problems
+
* Mon Aug 13 2007 Dan Walsh 2.6.4-37
- Allow clamd to read kernel system state