ulogd patch from Dan Walsh

"communicates with mysql and postgres via the network"

policy/modules/services/ulogd.if

@@ -5,9 +5,9 @@
 ##	Execute a domain transition to run ulogd.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ulogd_domtrans',`
@@ -65,9 +65,9 @@ interface(`ulogd_read_log',`
 ##	Allow the specified domain to search ulogd's log files.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed access.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`ulogd_search_log',`
@@ -102,7 +102,7 @@ interface(`ulogd_append_log',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an ulogd environment
 ## </summary>
 ## <param name="domain">
@@ -119,9 +119,8 @@ interface(`ulogd_append_log',`
 #
 interface(`ulogd_admin',`
 	gen_require(`
-		type ulogd_t, ulogd_etc_t;
+		type ulogd_t, ulogd_etc_t, ulogd_modules_t;
 		type ulogd_var_log_t, ulogd_initrc_exec_t;
-		type ulogd_modules_t;
 	')
 
 	allow $1 ulogd_t:process { ptrace signal_perms };
@@ -132,12 +131,12 @@ interface(`ulogd_admin',`
 	role_transition $2 ulogd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	files_search_etc($1)
+	files_list_etc($1)
 	admin_pattern($1, ulogd_etc_t)
 
 	logging_list_logs($1)
 	admin_pattern($1, ulogd_var_log_t)
 
-	files_search_usr($1)
+	files_list_usr($1)
 	admin_pattern($1, ulogd_modules_t)
 ')

policy/modules/services/ulogd.te

@@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t)
 
 allow ulogd_t self:capability net_admin;
 allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
 
 # config files
 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
@@ -43,6 +46,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 
-files_search_etc(ulogd_t)
+files_read_etc_files(ulogd_t)
+files_read_usr_files(ulogd_t)
 
 miscfiles_read_localization(ulogd_t)
+
+sysnet_dns_name_resolve(ulogd_t)
+
+optional_policy(`
+	mysql_stream_connect(ulogd_t)
+	mysql_tcp_connect(ulogd_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(ulogd_t)
+	postgresql_tcp_connect(ulogd_t)
+')