A few more contrib updates
Sven Vermeulen (2):
Grant write privileges to squid on its log files
Use nscd socket for webalizer
squid.te | 2 +-
webalizer.te | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
--
1.8.1.5
The squid daemon currently seems to require write privileges on the files
(squid_log_t) - append no longer cuts it. This is confirmed for both the
cache.log file as well as the netdb.state file.
Switching append_files_pattern to write_files_pattern.
Signed-off-by: Sven Vermeulen <[email protected]>
---
squid.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/squid.te b/squid.te
index 991d7ea..ae41c6c 100644
--- a/squid.te
+++ b/squid.te
@@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
-append_files_pattern(squid_t, squid_log_t, squid_log_t)
+write_files_pattern(squid_t, squid_log_t, squid_log_t)
create_files_pattern(squid_t, squid_log_t, squid_log_t)
setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
--
1.8.1.5
The webalizer application accesses the nscd service to optimize DNS queries.
Signed-off-by: Sven Vermeulen <[email protected]>
---
webalizer.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/webalizer.te b/webalizer.te
index ae919b9..526caa4 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -89,5 +89,9 @@ optional_policy(`
')
optional_policy(`
+ nscd_socket_use(webalizer_t)
+')
+
+optional_policy(`
squid_read_log(webalizer_t)
')
--
1.8.1.5
On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> The webalizer application accesses the nscd service to optimize DNS queries.
There is a boolean for that "nscd_use_shm" (also applies to webalizer)
nscd clients either use shm or socket
can you use audit2why on that avc denial to see if it suggests toggling
the boolean?
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> webalizer.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/webalizer.te b/webalizer.te
> index ae919b9..526caa4 100644
> --- a/webalizer.te
> +++ b/webalizer.te
> @@ -89,5 +89,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + nscd_socket_use(webalizer_t)
> +')
> +
> +optional_policy(`
> squid_read_log(webalizer_t)
> ')
On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> The squid daemon currently seems to require write privileges on the files
> (squid_log_t) - append no longer cuts it. This is confirmed for both the
> cache.log file as well as the netdb.state file.
Merged with changes, thanks
You might as well use a single manage_files_pattern now
>
> Switching append_files_pattern to write_files_pattern.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> squid.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/squid.te b/squid.te
> index 991d7ea..ae41c6c 100644
> --- a/squid.te
> +++ b/squid.te
> @@ -74,7 +74,7 @@ allow squid_t squid_conf_t:file read_file_perms;
> allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
>
> manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
> -append_files_pattern(squid_t, squid_log_t, squid_log_t)
> +write_files_pattern(squid_t, squid_log_t, squid_log_t)
> create_files_pattern(squid_t, squid_log_t, squid_log_t)
> setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
> manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
On Fri, Aug 16, 2013 at 01:20:18PM +0200, Dominick Grift wrote:
> On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> > The webalizer application accesses the nscd service to optimize DNS queries.
>
> There is a boolean for that "nscd_use_shm" (also applies to webalizer)
>
> nscd clients either use shm or socket
>
> can you use audit2why on that avc denial to see if it suggests toggling
> the boolean?
Indeed, my bad. I should've known better.
Wkr,
Sven Vermeulen