* [refpolicy] [PATCH 0/2] Few contrib updates @ 2013-08-16 6:21 Sven Vermeulen 2013-08-16 6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen 2013-08-16 6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen 0 siblings, 2 replies; 6+ messages in thread From: Sven Vermeulen @ 2013-08-16 6:21 UTC (permalink / raw) To: refpolicy A few more contrib updates Sven Vermeulen (2): Grant write privileges to squid on its log files Use nscd socket for webalizer squid.te | 2 +- webalizer.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) -- 1.8.1.5 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files 2013-08-16 6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen @ 2013-08-16 6:21 ` Sven Vermeulen 2013-08-16 11:30 ` Dominick Grift 2013-08-16 6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen 1 sibling, 1 reply; 6+ messages in thread From: Sven Vermeulen @ 2013-08-16 6:21 UTC (permalink / raw) To: refpolicy The squid daemon currently seems to require write privileges on the files (squid_log_t) - append no longer cuts it. This is confirmed for both the cache.log file as well as the netdb.state file. Switching append_files_pattern to write_files_pattern. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- squid.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/squid.te b/squid.te index 991d7ea..ae41c6c 100644 --- a/squid.te +++ b/squid.te @@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms; allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) -append_files_pattern(squid_t, squid_log_t, squid_log_t) +write_files_pattern(squid_t, squid_log_t, squid_log_t) create_files_pattern(squid_t, squid_log_t, squid_log_t) setattr_files_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) -- 1.8.1.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files 2013-08-16 6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen @ 2013-08-16 11:30 ` Dominick Grift 0 siblings, 0 replies; 6+ messages in thread From: Dominick Grift @ 2013-08-16 11:30 UTC (permalink / raw) To: refpolicy On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote: > The squid daemon currently seems to require write privileges on the files > (squid_log_t) - append no longer cuts it. This is confirmed for both the > cache.log file as well as the netdb.state file. Merged with changes, thanks You might as well use a single manage_files_pattern now > > Switching append_files_pattern to write_files_pattern. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > squid.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/squid.te b/squid.te > index 991d7ea..ae41c6c 100644 > --- a/squid.te > +++ b/squid.te > @@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms; > allow squid_t squid_conf_t:lnk_file read_lnk_file_perms; > > manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) > -append_files_pattern(squid_t, squid_log_t, squid_log_t) > +write_files_pattern(squid_t, squid_log_t, squid_log_t) > create_files_pattern(squid_t, squid_log_t, squid_log_t) > setattr_files_pattern(squid_t, squid_log_t, squid_log_t) > manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer 2013-08-16 6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen 2013-08-16 6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen @ 2013-08-16 6:21 ` Sven Vermeulen 2013-08-16 11:20 ` Dominick Grift 1 sibling, 1 reply; 6+ messages in thread From: Sven Vermeulen @ 2013-08-16 6:21 UTC (permalink / raw) To: refpolicy The webalizer application accesses the nscd service to optimize DNS queries. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- webalizer.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webalizer.te b/webalizer.te index ae919b9..526caa4 100644 --- a/webalizer.te +++ b/webalizer.te @@ -89,5 +89,9 @@ optional_policy(` ') optional_policy(` + nscd_socket_use(webalizer_t) +') + +optional_policy(` squid_read_log(webalizer_t) ') -- 1.8.1.5 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer 2013-08-16 6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen @ 2013-08-16 11:20 ` Dominick Grift 2013-08-17 8:24 ` Sven Vermeulen 0 siblings, 1 reply; 6+ messages in thread From: Dominick Grift @ 2013-08-16 11:20 UTC (permalink / raw) To: refpolicy On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote: > The webalizer application accesses the nscd service to optimize DNS queries. There is a boolean for that "nscd_use_shm" (also applies to webalizer) nscd clients either use shm or socket can you use audit2why on that avc denial to see if it suggests toggling the boolean? > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > webalizer.te | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/webalizer.te b/webalizer.te > index ae919b9..526caa4 100644 > --- a/webalizer.te > +++ b/webalizer.te > @@ -89,5 +89,9 @@ optional_policy(` > ') > > optional_policy(` > + nscd_socket_use(webalizer_t) > +') > + > +optional_policy(` > squid_read_log(webalizer_t) > ') ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/2] Use nscd socket for webalizer 2013-08-16 11:20 ` Dominick Grift @ 2013-08-17 8:24 ` Sven Vermeulen 0 siblings, 0 replies; 6+ messages in thread From: Sven Vermeulen @ 2013-08-17 8:24 UTC (permalink / raw) To: refpolicy On Fri, Aug 16, 2013 at 01:20:18PM +0200, Dominick Grift wrote: > On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote: > > The webalizer application accesses the nscd service to optimize DNS queries. > > There is a boolean for that "nscd_use_shm" (also applies to webalizer) > > nscd clients either use shm or socket > > can you use audit2why on that avc denial to see if it suggests toggling > the boolean? Indeed, my bad. I should've known better. Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-08-17 8:24 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-08-16 6:21 [refpolicy] [PATCH 0/2] Few contrib updates Sven Vermeulen 2013-08-16 6:21 ` [refpolicy] [PATCH 1/2] Grant write privileges to squid on its log files Sven Vermeulen 2013-08-16 11:30 ` Dominick Grift 2013-08-16 6:21 ` [refpolicy] [PATCH 2/2] Use nscd socket for webalizer Sven Vermeulen 2013-08-16 11:20 ` Dominick Grift 2013-08-17 8:24 ` Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.