Munin patch from Dan Walsh.
This commit is contained in:
parent
16070400a8
commit
24e0b9b3a4
@ -6,6 +6,64 @@
|
||||
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||
|
||||
# disk plugins
|
||||
/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
||||
|
||||
# mail plugins
|
||||
/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
||||
|
||||
# services plugins
|
||||
/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
||||
|
||||
# system plugins
|
||||
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
||||
|
||||
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
||||
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
||||
/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
|
||||
/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
||||
|
@ -1,5 +1,54 @@
|
||||
## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a set of derived types for various
|
||||
## munin plugins,
|
||||
## </summary>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## The name to be used for deriving type names.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`munin_plugin_template',`
|
||||
gen_require(`
|
||||
type munin_t, munin_exec_t, munin_etc_t;
|
||||
')
|
||||
|
||||
type $1_munin_plugin_t;
|
||||
type $1_munin_plugin_exec_t;
|
||||
typealias $1_munin_plugin_t alias munin_$1_plugin_t;
|
||||
typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
|
||||
application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
|
||||
role system_r types $1_munin_plugin_t;
|
||||
|
||||
type $1_munin_plugin_tmp_t;
|
||||
typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
|
||||
files_tmp_file($1_munin_plugin_tmp_t)
|
||||
|
||||
allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
|
||||
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
|
||||
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
|
||||
|
||||
# automatic transition rules from munin domain
|
||||
# to specific munin plugin domain
|
||||
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
|
||||
|
||||
allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
|
||||
allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
|
||||
|
||||
read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
|
||||
|
||||
kernel_read_system_state($1_munin_plugin_t)
|
||||
|
||||
corecmd_exec_bin($1_munin_plugin_t)
|
||||
|
||||
miscfiles_read_localization($1_munin_plugin_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to munin over a unix domain
|
||||
@ -104,7 +153,7 @@ interface(`munin_dontaudit_search_lib',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## All of the rules required to administrate
|
||||
## an munin environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(munin, 1.7.0)
|
||||
policy_module(munin, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -28,6 +28,14 @@ files_type(munin_var_lib_t)
|
||||
type munin_var_run_t alias lrrd_var_run_t;
|
||||
files_pid_file(munin_var_run_t)
|
||||
|
||||
munin_plugin_template(disk)
|
||||
|
||||
munin_plugin_template(mail)
|
||||
|
||||
munin_plugin_template(services)
|
||||
|
||||
munin_plugin_template(system)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
@ -55,7 +63,8 @@ logging_log_filetrans(munin_t, munin_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
||||
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
||||
files_tmp_filetrans(munin_t, munin_tmp_t, { file dir })
|
||||
manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
||||
files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
|
||||
|
||||
# Allow access to the munin databases
|
||||
manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
@ -130,6 +139,10 @@ optional_policy(`
|
||||
fstools_domtrans(munin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_domtrans_lpr(munin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mta_read_config(munin_t)
|
||||
mta_send_mail(munin_t)
|
||||
@ -164,3 +177,140 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(munin_t)
|
||||
')
|
||||
|
||||
###################################
|
||||
#
|
||||
# local policy for disk plugins
|
||||
#
|
||||
|
||||
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
|
||||
corecmd_exec_shell(disk_munin_plugin_t)
|
||||
|
||||
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
|
||||
|
||||
files_read_etc_files(disk_munin_plugin_t)
|
||||
files_read_etc_runtime_files(disk_munin_plugin_t)
|
||||
|
||||
fs_getattr_all_fs(disk_munin_plugin_t)
|
||||
|
||||
dev_read_sysfs(disk_munin_plugin_t)
|
||||
dev_read_urand(disk_munin_plugin_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
|
||||
|
||||
sysnet_read_config(disk_munin_plugin_t)
|
||||
|
||||
optional_policy(`
|
||||
hddtemp_exec(disk_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_exec(disk_munin_plugin_t)
|
||||
')
|
||||
|
||||
####################################
|
||||
#
|
||||
# local policy for mail plugins
|
||||
#
|
||||
|
||||
allow mail_munin_plugin_t self:capability dac_override;
|
||||
|
||||
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
|
||||
dev_read_urand(mail_munin_plugin_t)
|
||||
|
||||
files_read_etc_files(mail_munin_plugin_t)
|
||||
|
||||
fs_getattr_all_fs(mail_munin_plugin_t)
|
||||
|
||||
logging_read_generic_logs(mail_munin_plugin_t)
|
||||
|
||||
mta_read_config(mail_munin_plugin_t)
|
||||
mta_send_mail(mail_munin_plugin_t)
|
||||
mta_read_queue(mail_munin_plugin_t)
|
||||
|
||||
optional_policy(`
|
||||
postfix_read_config(mail_munin_plugin_t)
|
||||
postfix_list_spool(mail_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sendmail_read_log(mail_munin_plugin_t)
|
||||
')
|
||||
|
||||
###################################
|
||||
#
|
||||
# local policy for service plugins
|
||||
#
|
||||
|
||||
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
||||
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
corenet_tcp_connect_all_ports(services_munin_plugin_t)
|
||||
corenet_tcp_connect_http_port(services_munin_plugin_t)
|
||||
|
||||
dev_read_urand(services_munin_plugin_t)
|
||||
dev_read_rand(services_munin_plugin_t)
|
||||
|
||||
fs_getattr_all_fs(services_munin_plugin_t)
|
||||
|
||||
files_read_etc_files(services_munin_plugin_t)
|
||||
|
||||
sysnet_read_config(services_munin_plugin_t)
|
||||
|
||||
optional_policy(`
|
||||
cups_stream_connect(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
lpd_exec_lpr(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mysql_read_config(services_munin_plugin_t)
|
||||
mysql_stream_connect(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
netutils_domtrans_ping(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_stream_connect(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
||||
')
|
||||
|
||||
##################################
|
||||
#
|
||||
# local policy for system plugins
|
||||
#
|
||||
|
||||
allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
||||
|
||||
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
||||
|
||||
kernel_read_network_state(system_munin_plugin_t)
|
||||
kernel_read_all_sysctls(system_munin_plugin_t)
|
||||
|
||||
corecmd_exec_shell(system_munin_plugin_t)
|
||||
|
||||
fs_getattr_all_fs(system_munin_plugin_t)
|
||||
|
||||
dev_read_sysfs(system_munin_plugin_t)
|
||||
dev_read_urand(system_munin_plugin_t)
|
||||
|
||||
domain_read_all_domains_state(system_munin_plugin_t)
|
||||
|
||||
# needed by users plugin
|
||||
init_read_utmp(system_munin_plugin_t)
|
||||
|
||||
sysnet_exec_ifconfig(system_munin_plugin_t)
|
||||
|
||||
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
||||
|
Loading…
Reference in New Issue
Block a user