From 9a4d292902c6a0400252e3d86d42c49b7a9d55a2 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 17 Jun 2010 10:16:19 -0400
Subject: [PATCH] Netutils patch from Dan Walsh.

ping gets leaked log descriptor from nagios.

Label send_arp as ping_exec_t
---
 policy/modules/admin/netutils.fc  |  1 +
 policy/modules/admin/netutils.te  |  3 ++-
 policy/modules/services/nagios.if | 18 ++++++++++++++++++
 policy/modules/services/nagios.te |  2 +-
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index dda1928df..407078f4b 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -11,4 +11,5 @@
 /usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e9d7e88e5..b687b5d7d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.10.0)
+policy_module(netutils, 1.10.1)
 
 ########################################
 #
@@ -143,6 +143,7 @@ ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
 
 	optional_policy(`
+		nagios_dontaudit_rw_log(ping_t)
 		nagios_dontaudit_rw_pipes(ping_t)
 	')
 ')
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 72d79a552..b487ec996 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -100,6 +100,24 @@ interface(`nagios_read_log',`
 	read_files_pattern($1, nagios_log_t, nagios_log_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read or write nagios logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_log',`
+	gen_require(`
+		type nagios_log_t;
+	')
+
+	dontaudit $1 nagios_log_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search nagios spool directories.
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 494fb5134..da5b33d07 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,4 +1,4 @@
-policy_module(nagios, 1.9.0)
+policy_module(nagios, 1.9.1)
 
 ########################################
 #