diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7df1baabb..26efedf85 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -40,6 +40,7 @@
games
mozilla
mplayer
+ nagios
nessus
postgrey
pxe
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 65ae005d7..9fdfc1f60 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -6,7 +6,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -30,7 +30,7 @@ interface(`netutils_domtrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -60,7 +60,7 @@ interface(`netutils_run',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -78,7 +78,7 @@ interface(`netutils_exec',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -95,6 +95,42 @@ interface(`netutils_domtrans_ping',`
allow ping_t $1:process sigchld;
')
+########################################
+##
+## Send a kill (SIGKILL) signal to ping.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`netutils_kill_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process sigkill;
+')
+
+########################################
+##
+## Send generic signals to ping.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`netutils_signal_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process signal;
+')
+
########################################
##
## Execute ping in the ping domain, and
@@ -102,7 +138,7 @@ interface(`netutils_domtrans_ping',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -133,7 +169,7 @@ interface(`netutils_run_ping',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -167,7 +203,7 @@ interface(`netutils_run_ping_cond',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -185,7 +221,7 @@ interface(`netutils_exec_ping',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -209,7 +245,7 @@ interface(`netutils_domtrans_traceroute',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -240,7 +276,7 @@ interface(`netutils_run_traceroute',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -274,7 +310,7 @@ interface(`netutils_run_traceroute_cond',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 114551706..1437bacd6 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.1.0)
+policy_module(netutils,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index a2c59dd23..97f3cde74 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -126,6 +126,8 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index d166d62df..675b90929 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.7)
+policy_module(corecommands,1.3.8)
########################################
#
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 4fb4c860d..6e256bb1c 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -547,12 +547,33 @@ interface(`apache_read_log',`
type httpd_log_t;
')
- files_search_var($1)
+ logging_search_logs($1)
allow $1 httpd_log_t:dir r_dir_perms;
allow $1 httpd_log_t:file r_file_perms;
allow $1 httpd_log_t:lnk_file { getattr read };
')
+########################################
+##
+## Allow the specified domain to append
+## to apache log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apache_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir r_dir_perms;
+ allow $1 httpd_log_t:file append;
+')
+
########################################
##
## Do not audit attempts to append to the
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index d7b1cce24..7fd889106 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.4)
+policy_module(apache,1.3.5)
#
# NOTES:
@@ -421,6 +421,11 @@ optional_policy(`
mysql_rw_db_sockets(httpd_t)
')
+optional_policy(`
+ nagios_read_config(httpd_t)
+ nagios_domtrans_cgi(httpd_t)
+')
+
optional_policy(`
nscd_socket_use(httpd_t)
')
@@ -649,6 +654,10 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
+optional_policy(`
+ nagios_domtrans_cgi(httpd_suexec_t)
+')
+
optional_policy(`
nis_use_ypbind(httpd_suexec_t)
')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 369e0e870..b5f7e9113 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.1)
+policy_module(mta,1.3.2)
########################################
#
@@ -134,6 +134,10 @@ optional_policy(`
logwatch_read_tmp_files(system_mail_t)
')
+optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+')
+
optional_policy(`
allow system_mail_t etc_aliases_t:dir create_dir_perms;
allow system_mail_t etc_aliases_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/nagios.fc b/refpolicy/policy/modules/services/nagios.fc
new file mode 100644
index 000000000..255d9d13c
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.fc
@@ -0,0 +1,16 @@
+
+
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+
+/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/nagios.if b/refpolicy/policy/modules/services/nagios.if
new file mode 100644
index 000000000..503c26034
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.if
@@ -0,0 +1,64 @@
+## Net Saint / NAGIOS - network monitoring server
+
+########################################
+##
+## Allow the specified domain to read
+## nagios configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_config',`
+ gen_require(`
+ type nagios_etc_t;
+ ')
+
+ allow $1 nagios_etc_t:dir list_dir_perms;
+ allow $1 nagios_etc_t:file r_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+##
+## Allow the specified domain to read
+## nagios temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_read_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file r_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+##
+## Execute the nagios CGI with
+## a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nagios_domtrans_cgi',`
+ gen_require(`
+ type nagios_cgi_t, nagios_cgi_exec_t;
+ ')
+
+ domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t)
+ allow nagios_cgi_t $1:fd use;
+ allow nagios_cgi_t $1:fifo_file rw_file_perms;
+ allow nagios_cgi_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/nagios.te b/refpolicy/policy/modules/services/nagios.te
new file mode 100644
index 000000000..92dc549da
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.te
@@ -0,0 +1,183 @@
+
+policy_module(nagios,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t,nagios_exec_t)
+
+type nagios_cgi_t;
+type nagios_cgi_exec_t;
+init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+allow nagios_t nagios_etc_t:file r_file_perms;
+allow nagios_t nagios_etc_t:dir r_dir_perms;
+allow nagios_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_t nagios_log_t:file manage_file_perms;
+allow nagios_t nagios_log_t:fifo_file manage_file_perms;
+allow nagios_t nagios_log_t:dir rw_dir_perms;
+logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
+
+allow nagios_t nagios_tmp_t:dir create_dir_perms;
+allow nagios_t nagios_tmp_t:file create_file_perms;
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+allow nagios_t nagios_var_run_t:file create_file_perms;
+allow nagios_t nagios_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_raw_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_all_nodes(nagios_t)
+corenet_udp_sendrecv_all_nodes(nagios_t)
+corenet_raw_sendrecv_all_nodes(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+corenet_non_ipsec_sendrecv(nagios_t)
+corenet_tcp_bind_all_nodes(nagios_t)
+corenet_udp_bind_all_nodes(nagios_t)
+
+dev_read_sysfs(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+term_dontaudit_use_console(nagios_t)
+
+init_use_fds(nagios_t)
+init_use_script_ptys(nagios_t)
+# for who
+init_read_utmp(nagios_t)
+
+libs_use_ld_so(nagios_t)
+libs_use_shared_libs(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+sysnet_read_config(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(nagios_t)
+ term_dontaudit_use_generic_ptys(nagios_t)
+ files_dontaudit_read_root_files(nagios_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_t)
+ netutils_signal_ping(nagios_t)
+ netutils_kill_ping(nagios_t)
+
+ # cjp: leaked file descriptors:
+ #dontaudit ping_t nagios_etc_t:file read;
+ #dontaudit ping_t nagios_log_t:fifo_file read;
+')
+
+optional_policy(`
+ nis_use_ypbind(nagios_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+ udev_read_db(nagios_t)
+')
+
+# cjp: leaked file descriptors:
+# for open file handles
+#dontaudit system_mail_t nagios_etc_t:file read;
+#dontaudit system_mail_t nagios_log_t:fifo_file read;
+
+########################################
+#
+# Nagios CGI local policy
+#
+
+allow nagios_cgi_t self:process { fork signal_perms };
+allow nagios_cgi_t self:fifo_file rw_file_perms;
+
+allow nagios_cgi_t nagios_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_t:file r_file_perms;
+allow nagios_cgi_t nagios_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_etc_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_etc_t:file r_file_perms;
+allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_log_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_log_t:file r_file_perms;
+allow nagios_cgi_t nagios_log_t:lnk_file { getattr read };
+
+kernel_read_system_state(nagios_cgi_t)
+
+corecmd_exec_bin(nagios_cgi_t)
+
+domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+
+files_read_etc_files(nagios_cgi_t)
+files_read_etc_runtime_files(nagios_cgi_t)
+files_read_kernel_symbol_table(nagios_cgi_t)
+
+libs_use_ld_so(nagios_cgi_t)
+libs_use_shared_libs(nagios_cgi_t)
+
+logging_send_syslog_msg(nagios_cgi_t)
+logging_search_logs(nagios_cgi_t)
+
+miscfiles_read_localization(nagios_cgi_t)
+
+optional_policy(`
+ apache_append_log(nagios_cgi_t)
+')