From aedca7c2aeb6d641a02a7c1a1381649fe4a3036e Mon Sep 17 00:00:00 2001
From: Vitezslav Crhonek <vcrhonek@redhat.com>
Date: Mon, 12 Apr 2021 09:46:51 +0200
Subject: [PATCH] Add SELinux subpackage

---
 mrtg.fc   |  16 ++++++
 mrtg.if   |  88 ++++++++++++++++++++++++++++++++
 mrtg.spec |  72 +++++++++++++++++++++++++-
 mrtg.te   | 149 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 324 insertions(+), 1 deletion(-)
 create mode 100644 mrtg.fc
 create mode 100644 mrtg.if
 create mode 100644 mrtg.te

diff --git a/mrtg.fc b/mrtg.fc
new file mode 100644
index 0000000..340735d
--- /dev/null
+++ b/mrtg.fc
@@ -0,0 +1,16 @@
+/etc/mrtg.*	gen_context(system_u:object_r:mrtg_etc_t,s0)
+/etc/mrtg/mrtg\.ok	--	gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+/etc/rc\.d/init\.d/mrtg	--	gen_context(system_u:object_r:mrtg_initrc_exec_t,s0)
+
+/usr/bin/mrtg	--	gen_context(system_u:object_r:mrtg_exec_t,s0)
+
+/var/lib/mrtg(/.*)?	gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+
+/var/lock/mrtg(/.*)?	gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/lock/mrtg-rrd(/.*)?	gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/lock/subsys/mrtg	--	gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+/var/log/mrtg.*	gen_context(system_u:object_r:mrtg_log_t,s0)
+
+/var/run/mrtg\.pid	--	gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/mrtg.if b/mrtg.if
new file mode 100644
index 0000000..2346458
--- /dev/null
+++ b/mrtg.if
@@ -0,0 +1,88 @@
+## <summary>Network traffic graphing.</summary>
+
+########################################
+## <summary>
+##	Read mrtg lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_read_lib_files',`
+	gen_require(`
+		type mrtg_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+    read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create and append mrtg log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mrtg_append_create_logs',`
+	gen_require(`
+		type mrtg_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, mrtg_log_t, mrtg_log_t)
+	create_files_pattern($1, mrtg_log_t, mrtg_log_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an mrtg environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mrtg_admin',`
+	gen_require(`
+		type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t;
+		type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t;
+		type mrtg_etc_t;
+	')
+
+	allow $1 mrtg_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mrtg_t)
+
+	init_labeled_script_domtrans($1, mrtg_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 mrtg_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, mrtg_etc_t)
+
+	files_search_locks($1)
+	admin_pattern($1, mrtg_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, mrtg_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, mrtg_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, mrtg_var_lib_t)
+')
diff --git a/mrtg.spec b/mrtg.spec
index dc1c34e..1fb2f6e 100644
--- a/mrtg.spec
+++ b/mrtg.spec
@@ -3,10 +3,15 @@
 %global contentdir       %{_localstatedir}/www/%{name}
 %global libdir           %{_localstatedir}/lib/mrtg
 
+# defining macros needed by SELinux
+%global with_selinux 1
+%global selinuxtype targeted
+%global modulename mrtg
+
 Summary:   Multi Router Traffic Grapher
 Name:      mrtg
 Version:   2.17.7
-Release:   9%{?dist}
+Release:   10%{?dist}
 URL:       http://oss.oetiker.ch/mrtg/
 Source0:   http://oss.oetiker.ch/mrtg/pub/mrtg-%{version}.tar.gz
 Source1:   http://oss.oetiker.ch/mrtg/pub/mrtg-%{version}.tar.gz.md5
@@ -24,6 +29,11 @@ Source7:   mrtg.tmpfiles
 Source8:   mrtg.service
 # Source9: systemd timer file
 Source9:   mrtg.timer
+# Source100-102: selinux policy for mrtg, extracted
+# from https://github.com/fedora-selinux/selinux-policy
+Source100: %{modulename}.te
+Source101: %{modulename}.if
+Source102: %{modulename}.fc
 Patch0:    mrtg-2.15.0-lib64.patch
 Patch1:    mrtg-2.17.2-socket6-fix.patch
 # Patch2: some devices return 2**32-2 on ifSpeed (e. g. IBM FibreChannel switches)
@@ -36,6 +46,11 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 Requires:  perl-Socket6 perl-IO-Socket-INET6 perl-locale
 Requires:  gd
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:  (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
 BuildRequires: make
 BuildRequires: gd-devel, libpng-devel
 BuildRequires: perl-generators
@@ -50,6 +65,20 @@ The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
 load on network-links. MRTG generates HTML pages containing PNG
 images which provide a LIVE visual representation of this traffic.
 
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary:   mrtg SELinux policy
+BuildArch: noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module
+%endif
+
 %prep
 %setup -q
 %patch0 -p1 -b .lib64
@@ -75,6 +104,15 @@ find contrib -type f -exec \
 find contrib -name "*.pl" -exec %{__perl} -e 's;\015;;gi' -p -i \{\} \;
 find contrib -type f | xargs chmod a-x
 
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+mkdir selinux
+cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
 %install
 rm -rf   $RPM_BUILD_ROOT
 make install DESTDIR=$RPM_BUILD_ROOT
@@ -107,6 +145,10 @@ done
 
 sed -i 's;@@lib@@;%{_lib};g' "$RPM_BUILD_ROOT"%{_mandir}/man1/*.1
 
+%if 0%{?with_selinux}
+install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%endif
+
 %post
 install -d -m 0755 -o root -g root /var/lock/mrtg
 restorecon /var/lock/mrtg
@@ -122,6 +164,24 @@ fi
 %postun
 %systemd_postun_with_restart mrtg.service 
 
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+%endif
+
 %files
 %license COPYING
 %doc contrib CHANGES COPYRIGHT README THANKS
@@ -141,7 +201,17 @@ fi
 %{_unitdir}/mrtg.service
 %{_unitdir}/mrtg.timer
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
 %changelog
+* Mon Apr 12 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.17.7-10
+- Incorporate -selinux subpackage
+  See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
+
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.17.7-9
 - Rebuilt for updated systemd-rpm-macros
   See https://pagure.io/fesco/issue/2583.
diff --git a/mrtg.te b/mrtg.te
new file mode 100644
index 0000000..fa86320
--- /dev/null
+++ b/mrtg.te
@@ -0,0 +1,149 @@
+policy_module(mrtg, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type mrtg_t;
+type mrtg_exec_t;
+init_system_domain(mrtg_t, mrtg_exec_t)
+
+type mrtg_initrc_exec_t;
+init_script_file(mrtg_initrc_exec_t)
+
+type mrtg_etc_t;
+files_config_file(mrtg_etc_t)
+
+type mrtg_lock_t;
+files_lock_file(mrtg_lock_t)
+
+type mrtg_log_t;
+logging_log_file(mrtg_log_t)
+
+type mrtg_var_lib_t;
+files_type(mrtg_var_lib_t)
+
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mrtg_t self:capability { setgid setuid chown };
+dontaudit mrtg_t self:capability sys_tty_config;
+allow mrtg_t self:process signal_perms;
+allow mrtg_t self:fifo_file rw_fifo_file_perms;
+
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
+allow mrtg_t mrtg_etc_t:file read_file_perms;
+allow mrtg_t mrtg_etc_t:lnk_file read_lnk_file_perms;
+
+allow mrtg_t mrtg_lock_t:dir manage_dir_perms;
+allow mrtg_t mrtg_lock_t:file manage_file_perms;
+allow mrtg_t mrtg_lock_t:lnk_file manage_lnk_file_perms;
+files_lock_filetrans(mrtg_t, mrtg_lock_t, { dir file })
+
+manage_dirs_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+append_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+create_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+setattr_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+logging_log_filetrans(mrtg_t, mrtg_log_t, { dir file })
+
+manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
+
+kernel_read_system_state(mrtg_t)
+kernel_read_network_state(mrtg_t)
+kernel_read_kernel_sysctls(mrtg_t)
+
+corecmd_exec_bin(mrtg_t)
+corecmd_exec_shell(mrtg_t)
+
+corenet_all_recvfrom_netlabel(mrtg_t)
+corenet_tcp_sendrecv_generic_if(mrtg_t)
+corenet_tcp_sendrecv_generic_node(mrtg_t)
+
+corenet_sendrecv_all_client_packets(mrtg_t)
+corenet_tcp_connect_all_ports(mrtg_t)
+corenet_tcp_sendrecv_all_ports(mrtg_t)
+
+dev_read_sysfs(mrtg_t)
+dev_read_urand(mrtg_t)
+
+domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
+
+files_getattr_tmp_dirs(mrtg_t)
+files_read_etc_runtime_files(mrtg_t)
+files_search_var(mrtg_t)
+files_search_locks(mrtg_t)
+files_search_var_lib(mrtg_t)
+files_search_spool(mrtg_t)
+
+fs_search_auto_mountpoints(mrtg_t)
+fs_getattr_all_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
+
+term_dontaudit_use_console(mrtg_t)
+
+init_use_fds(mrtg_t)
+init_use_script_ptys(mrtg_t)
+init_read_utmp(mrtg_t)
+init_dontaudit_write_utmp(mrtg_t)
+
+auth_use_nsswitch(mrtg_t)
+
+libs_read_lib_files(mrtg_t)
+
+logging_send_syslog_msg(mrtg_t)
+
+selinux_dontaudit_getattr_dir(mrtg_t)
+
+userdom_use_inherited_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
+userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
+
+netutils_domtrans_ping(mrtg_t)
+
+ifdef(`enable_mls',`
+	corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
+optional_policy(`
+	apache_manage_sys_content(mrtg_t)
+')
+
+optional_policy(`
+	cron_system_entry(mrtg_t, mrtg_exec_t)
+')
+
+optional_policy(`
+	hostname_exec(mrtg_t)
+')
+
+optional_policy(`
+	hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(mrtg_t)
+')
+
+optional_policy(`
+	quota_dontaudit_getattr_db(mrtg_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(mrtg_t)
+')
+
+optional_policy(`
+	udev_read_db(mrtg_t)
+')