Munin patch from Dan Walsh.

policy/modules/services/munin.fc

@@ -6,6 +6,64 @@
 /usr/share/munin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 
+# disk plugins
+/usr/share/munin/plugins/diskstat.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/df.*	--	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* --	gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.*	-- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* --	gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+
+# services plugins
+/usr/share/munin/plugins/apache_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/lpstat	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/named	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ntp_.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nut.*	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ 	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/samba	--	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* --	gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
+# system plugins
+/usr/share/munin/plugins/acpi	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/cpu.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/forks	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/if_.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/load	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/swap	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/uptime	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/users	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/yum	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)

policy/modules/services/munin.if

@@ -1,5 +1,54 @@
 ## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
 
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	munin plugins,
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`munin_plugin_template',`
+	gen_require(`
+		type munin_t, munin_exec_t, munin_etc_t;
+	')
+
+	type $1_munin_plugin_t;
+	type $1_munin_plugin_exec_t;
+	typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+	typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+	application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+	role system_r types $1_munin_plugin_t;
+
+	type $1_munin_plugin_tmp_t;
+	typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+	files_tmp_file($1_munin_plugin_tmp_t)
+
+	allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
+
+	manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+	manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+	files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+	# automatic transition rules from munin domain
+	# to specific munin plugin domain
+	domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+
+	allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+	allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+
+	read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+
+	kernel_read_system_state($1_munin_plugin_t)
+
+	corecmd_exec_bin($1_munin_plugin_t)
+
+	miscfiles_read_localization($1_munin_plugin_t)
+')
+
 ########################################
 ## <summary>
 ##	Connect to munin over a unix domain
@@ -104,7 +153,7 @@ interface(`munin_dontaudit_search_lib',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an munin environment
 ## </summary>
 ## <param name="domain">

policy/modules/services/munin.te

@@ -1,5 +1,5 @@
 
-policy_module(munin, 1.7.0)
+policy_module(munin, 1.7.1)
 
 ########################################
 #
@@ -28,6 +28,14 @@ files_type(munin_var_lib_t)
 type munin_var_run_t alias lrrd_var_run_t;
 files_pid_file(munin_var_run_t)
 
+munin_plugin_template(disk)
+
+munin_plugin_template(mail)
+
+munin_plugin_template(services)
+
+munin_plugin_template(system)
+
 ########################################
 #
 # Local policy
@@ -55,7 +63,8 @@ logging_log_filetrans(munin_t, munin_log_t, { file dir })
 
 manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
 manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
-files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
+manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
 
 # Allow access to the munin databases
 manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
@@ -130,6 +139,10 @@ optional_policy(`
 	fstools_domtrans(munin_t)
 ')
 
+optional_policy(`
+	lpd_domtrans_lpr(munin_t)
+')
+
 optional_policy(`
 	mta_read_config(munin_t)
 	mta_send_mail(munin_t)
@@ -164,3 +177,140 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(munin_t)
 ')
+
+###################################
+#
+# local policy for disk plugins
+#
+
+allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+corecmd_exec_shell(disk_munin_plugin_t)
+
+corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+
+files_read_etc_files(disk_munin_plugin_t)
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
+fs_getattr_all_fs(disk_munin_plugin_t)
+
+dev_read_sysfs(disk_munin_plugin_t)
+dev_read_urand(disk_munin_plugin_t)
+
+storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+
+sysnet_read_config(disk_munin_plugin_t)
+
+optional_policy(`
+	hddtemp_exec(disk_munin_plugin_t)
+')
+
+optional_policy(`
+	fstools_exec(disk_munin_plugin_t)
+')
+
+####################################
+#
+# local policy for mail plugins
+#
+
+allow mail_munin_plugin_t self:capability dac_override;
+
+rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+dev_read_urand(mail_munin_plugin_t)
+
+files_read_etc_files(mail_munin_plugin_t)
+
+fs_getattr_all_fs(mail_munin_plugin_t)
+
+logging_read_generic_logs(mail_munin_plugin_t)
+
+mta_read_config(mail_munin_plugin_t)
+mta_send_mail(mail_munin_plugin_t)
+mta_read_queue(mail_munin_plugin_t)
+
+optional_policy(`
+	postfix_read_config(mail_munin_plugin_t)
+	postfix_list_spool(mail_munin_plugin_t)
+')
+
+optional_policy(`
+	sendmail_read_log(mail_munin_plugin_t)
+')
+
+###################################
+#
+# local policy for service plugins
+#
+
+allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow services_munin_plugin_t self:udp_socket create_socket_perms;
+allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_all_ports(services_munin_plugin_t)
+corenet_tcp_connect_http_port(services_munin_plugin_t)
+
+dev_read_urand(services_munin_plugin_t)
+dev_read_rand(services_munin_plugin_t)
+
+fs_getattr_all_fs(services_munin_plugin_t)
+
+files_read_etc_files(services_munin_plugin_t)
+
+sysnet_read_config(services_munin_plugin_t)
+
+optional_policy(`
+	cups_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	lpd_exec_lpr(services_munin_plugin_t)
+')
+
+optional_policy(`
+	mysql_read_config(services_munin_plugin_t)
+	mysql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(services_munin_plugin_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+	snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+')
+
+##################################
+#
+# local policy for system plugins
+#
+
+allow system_munin_plugin_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+kernel_read_network_state(system_munin_plugin_t)
+kernel_read_all_sysctls(system_munin_plugin_t)
+
+corecmd_exec_shell(system_munin_plugin_t)
+
+fs_getattr_all_fs(system_munin_plugin_t)
+
+dev_read_sysfs(system_munin_plugin_t)
+dev_read_urand(system_munin_plugin_t)
+
+domain_read_all_domains_state(system_munin_plugin_t)
+
+# needed by users plugin
+init_read_utmp(system_munin_plugin_t)
+
+sysnet_exec_ifconfig(system_munin_plugin_t)
+
+term_getattr_unallocated_ttys(system_munin_plugin_t)