[refpolicy] [PATCH 0/2] Few contrib updates

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 0/2] Few contrib updates
@ 2013-08-16  6:21 Sven Vermeulen
  2013-08-16  6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen
  2013-08-16  6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen
  0 siblings, 2 replies; 6+ messages in thread
From: Sven Vermeulen @ 2013-08-16  6:21 UTC (permalink / raw)
  To: refpolicy

A few more contrib updates

Sven Vermeulen (2):
  Grant write privileges to squid on its log files
  Use nscd socket for webalizer

 squid.te     | 2 +-
 webalizer.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

-- 
1.8.1.5

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files
  2013-08-16  6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen
@ 2013-08-16  6:21 ` Sven Vermeulen
  2013-08-16 11:30   ` Dominick Grift
  2013-08-16  6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen
  1 sibling, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2013-08-16  6:21 UTC (permalink / raw)
  To: refpolicy

The squid daemon currently seems to require write privileges on the files
(squid_log_t) - append no longer cuts it. This is confirmed for both the
cache.log file as well as the netdb.state file.

Switching append_files_pattern to write_files_pattern.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 squid.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/squid.te b/squid.te
index 991d7ea..ae41c6c 100644
--- a/squid.te
+++ b/squid.te
@@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
 allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+write_files_pattern(squid_t, squid_log_t, squid_log_t)
 create_files_pattern(squid_t, squid_log_t, squid_log_t)
 setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
 manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
-- 
1.8.1.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer
  2013-08-16  6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen
  2013-08-16  6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen
@ 2013-08-16  6:21 ` Sven Vermeulen
  2013-08-16 11:20   ` Dominick Grift
  1 sibling, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2013-08-16  6:21 UTC (permalink / raw)
  To: refpolicy

The webalizer application accesses the nscd service to optimize DNS queries.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 webalizer.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/webalizer.te b/webalizer.te
index ae919b9..526caa4 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -89,5 +89,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nscd_socket_use(webalizer_t)
+')
+
+optional_policy(`
 	squid_read_log(webalizer_t)
 ')
-- 
1.8.1.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer
  2013-08-16  6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen
@ 2013-08-16 11:20   ` Dominick Grift
  2013-08-17  8:24     ` Sven Vermeulen
  0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2013-08-16 11:20 UTC (permalink / raw)
  To: refpolicy

On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> The webalizer application accesses the nscd service to optimize DNS queries.

There is a boolean for that "nscd_use_shm" (also applies to webalizer)

nscd clients either use shm or socket

can you use audit2why on that avc denial to see if it suggests toggling
the boolean?

> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  webalizer.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/webalizer.te b/webalizer.te
> index ae919b9..526caa4 100644
> --- a/webalizer.te
> +++ b/webalizer.te
> @@ -89,5 +89,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	nscd_socket_use(webalizer_t)
> +')
> +
> +optional_policy(`
>  	squid_read_log(webalizer_t)
>  ')

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files
  2013-08-16  6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen
@ 2013-08-16 11:30   ` Dominick Grift
  0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2013-08-16 11:30 UTC (permalink / raw)
  To: refpolicy

On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> The squid daemon currently seems to require write privileges on the files
> (squid_log_t) - append no longer cuts it. This is confirmed for both the
> cache.log file as well as the netdb.state file.

Merged with changes, thanks

You might as well use a single manage_files_pattern now

> 
> Switching append_files_pattern to write_files_pattern.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  squid.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/squid.te b/squid.te
> index 991d7ea..ae41c6c 100644
> --- a/squid.te
> +++ b/squid.te
> @@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
>  allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
>  
>  manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
> -append_files_pattern(squid_t, squid_log_t, squid_log_t)
> +write_files_pattern(squid_t, squid_log_t, squid_log_t)
>  create_files_pattern(squid_t, squid_log_t, squid_log_t)
>  setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
>  manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer
  2013-08-16 11:20   ` Dominick Grift
@ 2013-08-17  8:24     ` Sven Vermeulen
  0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2013-08-17  8:24 UTC (permalink / raw)
  To: refpolicy

On Fri, Aug 16, 2013 at 01:20:18PM +0200, Dominick Grift wrote:
> On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> > The webalizer application accesses the nscd service to optimize DNS queries.
> 
> There is a boolean for that "nscd_use_shm" (also applies to webalizer)
> 
> nscd clients either use shm or socket
> 
> can you use audit2why on that avc denial to see if it suggests toggling
> the boolean?

Indeed, my bad. I should've known better.

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-08-17  8:24 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-16  6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen
2013-08-16  6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen
2013-08-16 11:30   ` Dominick Grift
2013-08-16  6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen
2013-08-16 11:20   ` Dominick Grift
2013-08-17  8:24     ` Sven Vermeulen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.