patch from Stefan for mrtg daemon operation.

Changelog

@@ -1,3 +1,4 @@
+- MRTG patch for daemon operation from Stefan.
 - Add authlogin interface to abstract common access for login programs.
 - Remove setbool auditallow, except for RHEL4.
 - Change eventpollfs to task SID labeling.

policy/modules/admin/mrtg.fc

@@ -15,4 +15,4 @@
 /var/lib/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_var_lib_t,s0)
 /var/lock/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_lock_t,s0)
 /var/log/mrtg(/.*)?		gen_context(system_u:object_r:mrtg_log_t,s0)
-
+/var/run/mrtg\.pid		gen_context(system_u:object_r:mrtg_var_run_t,s0)

policy/modules/admin/mrtg.te

@@ -1,5 +1,5 @@
 
-policy_module(mrtg,1.0.1)
+policy_module(mrtg,1.0.2)
 
 ########################################
 #
@@ -22,12 +22,15 @@ logging_log_file(mrtg_log_t)
 type mrtg_var_lib_t;
 files_type(mrtg_var_lib_t)
 
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow mrtg_t self:capability { setgid setuid };
+allow mrtg_t self:capability { setgid setuid chown };
 dontaudit mrtg_t self:capability sys_tty_config;
 allow mrtg_t self:process signal_perms;
 allow mrtg_t self:fifo_file { getattr read write ioctl };
@@ -52,6 +55,9 @@ allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms;
 allow mrtg_t mrtg_var_lib_t:file create_file_perms;
 allow mrtg_t mrtg_var_lib_t:lnk_file create_lnk_perms;
 
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t,mrtg_var_run_t,file)
+
 # read config files
 dontaudit mrtg_t mrtg_etc_t:dir write;
 dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
@@ -116,6 +122,10 @@ sysnet_read_config(mrtg_t)
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 userdom_use_sysadm_terms(mrtg_t)
 
+ifdef(`enable_mls',`
+	corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
 ifdef(`distro_redhat',`
 	allow mrtg_t mrtg_etc_t:dir rw_dir_perms;
 	allow mrtg_t mrtg_lock_t:file create_file_perms;
@@ -144,6 +154,10 @@ optional_policy(`
 	nis_use_ypbind(mrtg_t)
 ')
 
+optional_policy(`
+	nscd_dontaudit_search_pid(mrtg_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(mrtg_t)
 ')

policy/modules/services/nscd.if

@@ -125,6 +125,24 @@ interface(`nscd_shm_use',`
 	dontaudit $1 nscd_var_run_t:file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+	gen_require(`
+		type nscd_var_run_t;
+	')
+
+	dontaudit $1 nscd_var_run_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read NSCD pid file.

policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.7)
+policy_module(nscd,1.2.8)
 
 gen_require(`
 	class nscd all_nscd_perms;