From: dominick.grift@gmail.com (Dominick Grift)
Date: Fri, 16 Aug 2013 13:20:18 +0200
Subject: [refpolicy] [PATCH 2/2] Use nscd socket for webalizer
In-Reply-To: <1376634106-16328-3-git-send-email-sven.vermeulen@siphos.be>
References: <1376634106-16328-1-git-send-email-sven.vermeulen@siphos.be>
	<1376634106-16328-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1376652018.3531.2.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2013-08-16 at 08:21 +0200, Sven Vermeulen wrote:
> The webalizer application accesses the nscd service to optimize DNS queries.

There is a boolean for that "nscd_use_shm" (also applies to webalizer)

nscd clients either use shm or socket

can you use audit2why on that avc denial to see if it suggests toggling
the boolean?

> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  webalizer.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/webalizer.te b/webalizer.te
> index ae919b9..526caa4 100644
> --- a/webalizer.te
> +++ b/webalizer.te
> @@ -89,5 +89,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	nscd_socket_use(webalizer_t)
> +')
> +
> +optional_policy(`
>  	squid_read_log(webalizer_t)
>  ')