5 patches from dan
This commit is contained in:
parent
10b03f376b
commit
ce6fee6575
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(uml, 2.0.1)
|
policy_module(uml, 2.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -16,14 +16,12 @@ ubac_constrained(uml_t)
|
|||||||
type uml_ro_t;
|
type uml_ro_t;
|
||||||
typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
|
typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
|
||||||
typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
|
typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
|
||||||
files_type(uml_ro_t)
|
userdom_user_home_content(uml_ro_t)
|
||||||
ubac_constrained(uml_ro_t)
|
|
||||||
|
|
||||||
type uml_rw_t;
|
type uml_rw_t;
|
||||||
typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
|
typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
|
||||||
typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
|
typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
|
||||||
files_type(uml_rw_t)
|
userdom_user_home_content(uml_rw_t)
|
||||||
ubac_constrained(uml_rw_t)
|
|
||||||
|
|
||||||
type uml_tmp_t;
|
type uml_tmp_t;
|
||||||
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
|
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork, 1.11.9)
|
policy_module(corenetwork, 1.11.10)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -131,6 +131,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0)
|
|||||||
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
|
||||||
network_port(monopd, tcp,1234,s0)
|
network_port(monopd, tcp,1234,s0)
|
||||||
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
||||||
|
network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
|
@ -1,17 +1,22 @@
|
|||||||
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
||||||
|
|
||||||
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||||
|
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
|
|
||||||
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
|
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||||
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
|
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||||
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
|
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
|
||||||
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
|
/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
|
||||||
|
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
|
||||||
|
|
||||||
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
||||||
|
|
||||||
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
|
/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
|
||||||
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||||
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||||
|
/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||||
@ -40,8 +45,12 @@ ifdef(`distro_redhat',`
|
|||||||
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||||
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
|
||||||
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
||||||
|
/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
|
/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
|
/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
|
/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||||
|
/var/named/chroot/proc(/.*)? <<none>>
|
||||||
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
|
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
|
||||||
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||||
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||||
|
@ -36,6 +36,42 @@ interface(`bind_signal',`
|
|||||||
allow $1 named_t:process signal;
|
allow $1 named_t:process signal;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send null sigals to BIND.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`bind_signull',`
|
||||||
|
gen_require(`
|
||||||
|
type named_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 named_t:process signull;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send BIND the kill signal
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`bind_kill',`
|
||||||
|
gen_require(`
|
||||||
|
type named_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 named_t:process sigkill;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute ndc in the ndc domain, and
|
## Execute ndc in the ndc domain, and
|
||||||
@ -269,7 +305,7 @@ interface(`bind_udp_chat_named',`
|
|||||||
interface(`bind_admin',`
|
interface(`bind_admin',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type named_t, named_tmp_t, named_log_t;
|
type named_t, named_tmp_t, named_log_t;
|
||||||
type named_conf_t, named_var_run_t;
|
type named_conf_t, named_var_lib_t, named_var_run_t;
|
||||||
type named_cache_t, named_zone_t;
|
type named_cache_t, named_zone_t;
|
||||||
type dnssec_t, ndc_t;
|
type dnssec_t, ndc_t;
|
||||||
type named_initrc_exec_t;
|
type named_initrc_exec_t;
|
||||||
@ -283,6 +319,7 @@ interface(`bind_admin',`
|
|||||||
|
|
||||||
bind_run_ndc($1, $2)
|
bind_run_ndc($1, $2)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, bind_initrc_exec_t)
|
||||||
domain_system_change_exemption($1)
|
domain_system_change_exemption($1)
|
||||||
role_transition $2 named_initrc_exec_t system_r;
|
role_transition $2 named_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
@ -300,6 +337,9 @@ interface(`bind_admin',`
|
|||||||
admin_pattern($1, named_zone_t)
|
admin_pattern($1, named_zone_t)
|
||||||
admin_pattern($1, dnssec_t)
|
admin_pattern($1, dnssec_t)
|
||||||
|
|
||||||
|
files_list_var_lib($1)
|
||||||
|
admin_pattern($1, named_var_lib_t)
|
||||||
|
|
||||||
files_list_pids($1)
|
files_list_pids($1)
|
||||||
admin_pattern($1, named_var_run_t)
|
admin_pattern($1, named_var_run_t)
|
||||||
')
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(bind, 1.9.2)
|
policy_module(bind, 1.9.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -123,6 +123,7 @@ corenet_sendrecv_dns_server_packets(named_t)
|
|||||||
corenet_sendrecv_dns_client_packets(named_t)
|
corenet_sendrecv_dns_client_packets(named_t)
|
||||||
corenet_sendrecv_rndc_server_packets(named_t)
|
corenet_sendrecv_rndc_server_packets(named_t)
|
||||||
corenet_sendrecv_rndc_client_packets(named_t)
|
corenet_sendrecv_rndc_client_packets(named_t)
|
||||||
|
corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
|
||||||
corenet_udp_bind_all_unreserved_ports(named_t)
|
corenet_udp_bind_all_unreserved_ports(named_t)
|
||||||
|
|
||||||
dev_read_sysfs(named_t)
|
dev_read_sysfs(named_t)
|
||||||
@ -169,7 +170,7 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(named_t)
|
kerberos_keytab_template(named, named_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -36,8 +36,7 @@ interface(`inetd_core_service_domain',`
|
|||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
domtrans_pattern(inetd_t, $2, $1)
|
domtrans_pattern(inetd_t, $2, $1)
|
||||||
|
allow inetd_t $1:process { siginh sigkill };
|
||||||
allow inetd_t $1:process sigkill;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(inetd, 1.9.2)
|
policy_module(inetd, 1.9.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
|
/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
|
||||||
|
|
||||||
/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||||
/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||||
@ -6,6 +7,5 @@
|
|||||||
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
||||||
|
|
||||||
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
||||||
/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
|
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
||||||
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
||||||
/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
|
||||||
|
@ -59,8 +59,9 @@ interface(`munin_append_log',`
|
|||||||
type munin_log_t;
|
type munin_log_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 munin_log_t:file append_file_perms;
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
|
allow $1 munin_log_t:dir list_dir_perms;
|
||||||
|
append_files_pattern($1, munin_log_t, munin_log_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@ -100,3 +101,54 @@ interface(`munin_dontaudit_search_lib',`
|
|||||||
|
|
||||||
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
|
dontaudit $1 munin_var_lib_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an munin environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed to manage the munin domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`munin_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type munin_t, munin_etc_t, munin_tmp_t;
|
||||||
|
type munin_log_t, munin_var_lib_t, munin_var_run_t;
|
||||||
|
type httpd_munin_content_t;
|
||||||
|
type munin_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 munin_t:process { ptrace signal_perms };
|
||||||
|
ps_process_pattern($1, munin_t)
|
||||||
|
|
||||||
|
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 munin_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
|
files_list_tmp($1)
|
||||||
|
admin_pattern($1, munin_tmp_t)
|
||||||
|
|
||||||
|
logging_list_logs($1)
|
||||||
|
admin_pattern($1, munin_log_t)
|
||||||
|
|
||||||
|
files_list_etc($1)
|
||||||
|
admin_pattern($1, munin_etc_t)
|
||||||
|
|
||||||
|
files_list_var_lib($1)
|
||||||
|
admin_pattern($1, munin_var_lib_t)
|
||||||
|
|
||||||
|
files_list_pids($1)
|
||||||
|
admin_pattern($1, munin_var_run_t)
|
||||||
|
|
||||||
|
admin_pattern($1, httpd_munin_content_t)
|
||||||
|
')
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(munin, 1.6.2)
|
policy_module(munin, 1.6.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -13,6 +13,9 @@ init_daemon_domain(munin_t, munin_exec_t)
|
|||||||
type munin_etc_t alias lrrd_etc_t;
|
type munin_etc_t alias lrrd_etc_t;
|
||||||
files_config_file(munin_etc_t)
|
files_config_file(munin_etc_t)
|
||||||
|
|
||||||
|
type munin_initrc_exec_t;
|
||||||
|
init_script_file(munin_initrc_exec_t)
|
||||||
|
|
||||||
type munin_log_t alias lrrd_log_t;
|
type munin_log_t alias lrrd_log_t;
|
||||||
logging_log_file(munin_log_t)
|
logging_log_file(munin_log_t)
|
||||||
|
|
||||||
@ -30,21 +33,25 @@ files_pid_file(munin_var_run_t)
|
|||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow munin_t self:capability { setgid setuid };
|
allow munin_t self:capability { chown dac_override setgid setuid };
|
||||||
dontaudit munin_t self:capability sys_tty_config;
|
dontaudit munin_t self:capability sys_tty_config;
|
||||||
allow munin_t self:process { getsched setsched signal_perms };
|
allow munin_t self:process { getsched setsched signal_perms };
|
||||||
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||||
allow munin_t self:tcp_socket create_stream_socket_perms;
|
allow munin_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow munin_t self:udp_socket create_socket_perms;
|
allow munin_t self:udp_socket create_socket_perms;
|
||||||
|
allow munin_t self:fifo_file manage_fifo_file_perms;
|
||||||
|
|
||||||
allow munin_t munin_etc_t:dir list_dir_perms;
|
allow munin_t munin_etc_t:dir list_dir_perms;
|
||||||
read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
||||||
read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
||||||
files_search_etc(munin_t)
|
files_search_etc(munin_t)
|
||||||
|
|
||||||
allow munin_t munin_log_t:file manage_file_perms;
|
can_exec(munin_t, munin_exec_t)
|
||||||
logging_log_filetrans(munin_t, munin_log_t, file)
|
|
||||||
|
manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
|
||||||
|
manage_files_pattern(munin_t, munin_log_t, munin_log_t)
|
||||||
|
logging_log_filetrans(munin_t, munin_log_t, { file dir })
|
||||||
|
|
||||||
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
||||||
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
||||||
@ -61,9 +68,11 @@ manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|||||||
files_pid_filetrans(munin_t, munin_var_run_t, file)
|
files_pid_filetrans(munin_t, munin_var_run_t, file)
|
||||||
|
|
||||||
kernel_read_system_state(munin_t)
|
kernel_read_system_state(munin_t)
|
||||||
kernel_read_kernel_sysctls(munin_t)
|
kernel_read_network_state(munin_t)
|
||||||
|
kernel_read_all_sysctls(munin_t)
|
||||||
|
|
||||||
corecmd_exec_bin(munin_t)
|
corecmd_exec_bin(munin_t)
|
||||||
|
corecmd_exec_shell(munin_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(munin_t)
|
corenet_all_recvfrom_unlabeled(munin_t)
|
||||||
corenet_all_recvfrom_netlabel(munin_t)
|
corenet_all_recvfrom_netlabel(munin_t)
|
||||||
@ -73,30 +82,43 @@ corenet_tcp_sendrecv_generic_node(munin_t)
|
|||||||
corenet_udp_sendrecv_generic_node(munin_t)
|
corenet_udp_sendrecv_generic_node(munin_t)
|
||||||
corenet_tcp_sendrecv_all_ports(munin_t)
|
corenet_tcp_sendrecv_all_ports(munin_t)
|
||||||
corenet_udp_sendrecv_all_ports(munin_t)
|
corenet_udp_sendrecv_all_ports(munin_t)
|
||||||
|
corenet_tcp_bind_generic_node(munin_t)
|
||||||
|
corenet_tcp_bind_munin_port(munin_t)
|
||||||
|
corenet_tcp_connect_munin_port(munin_t)
|
||||||
|
corenet_tcp_connect_http_port(munin_t)
|
||||||
|
|
||||||
dev_read_sysfs(munin_t)
|
dev_read_sysfs(munin_t)
|
||||||
dev_read_urand(munin_t)
|
dev_read_urand(munin_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(munin_t)
|
domain_use_interactive_fds(munin_t)
|
||||||
|
domain_read_all_domains_state(munin_t)
|
||||||
|
|
||||||
files_read_etc_files(munin_t)
|
files_read_etc_files(munin_t)
|
||||||
files_read_etc_runtime_files(munin_t)
|
files_read_etc_runtime_files(munin_t)
|
||||||
files_read_usr_files(munin_t)
|
files_read_usr_files(munin_t)
|
||||||
|
files_list_spool(munin_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(munin_t)
|
fs_getattr_all_fs(munin_t)
|
||||||
fs_search_auto_mountpoints(munin_t)
|
fs_search_auto_mountpoints(munin_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(munin_t)
|
auth_use_nsswitch(munin_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(munin_t)
|
||||||
|
logging_read_all_logs(munin_t)
|
||||||
|
|
||||||
|
miscfiles_read_fonts(munin_t)
|
||||||
miscfiles_read_localization(munin_t)
|
miscfiles_read_localization(munin_t)
|
||||||
|
|
||||||
sysnet_read_config(munin_t)
|
sysnet_exec_ifconfig(munin_t)
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(munin_t)
|
userdom_dontaudit_search_user_home_dirs(munin_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# for accessing the output directory
|
apache_content_template(munin)
|
||||||
|
|
||||||
|
manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||||
|
manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
||||||
apache_search_sys_content(munin_t)
|
apache_search_sys_content(munin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -105,7 +127,34 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(munin_t)
|
fstools_domtrans(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_read_config(munin_t)
|
||||||
|
mta_send_mail(munin_t)
|
||||||
|
mta_read_queue(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mysql_read_config(munin_t)
|
||||||
|
mysql_stream_connect(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
netutils_domtrans_ping(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
postfix_list_spool(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
rpc_search_nfs_state_data(munin_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
sendmail_read_log(munin_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
Loading…
Reference in New Issue
Block a user