68ac47d8c5
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
346 lines
8.5 KiB
Plaintext
346 lines
8.5 KiB
Plaintext
policy_module(munin, 1.8.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute munin_plugin_domain;
|
|
|
|
type munin_t alias lrrd_t;
|
|
type munin_exec_t alias lrrd_exec_t;
|
|
init_daemon_domain(munin_t, munin_exec_t)
|
|
|
|
type munin_etc_t alias lrrd_etc_t;
|
|
files_config_file(munin_etc_t)
|
|
|
|
type munin_initrc_exec_t;
|
|
init_script_file(munin_initrc_exec_t)
|
|
|
|
type munin_log_t alias lrrd_log_t;
|
|
logging_log_file(munin_log_t)
|
|
|
|
type munin_tmp_t alias lrrd_tmp_t;
|
|
files_tmp_file(munin_tmp_t)
|
|
|
|
type munin_var_lib_t alias lrrd_var_lib_t;
|
|
files_type(munin_var_lib_t)
|
|
|
|
type munin_plugin_state_t;
|
|
files_type(munin_plugin_state_t)
|
|
|
|
type munin_var_run_t alias lrrd_var_run_t;
|
|
files_pid_file(munin_var_run_t)
|
|
|
|
munin_plugin_template(disk)
|
|
|
|
munin_plugin_template(mail)
|
|
|
|
munin_plugin_template(services)
|
|
|
|
munin_plugin_template(system)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
|
|
dontaudit munin_t self:capability sys_tty_config;
|
|
allow munin_t self:process { getsched setsched signal_perms };
|
|
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow munin_t self:tcp_socket create_stream_socket_perms;
|
|
allow munin_t self:udp_socket create_socket_perms;
|
|
allow munin_t self:fifo_file manage_fifo_file_perms;
|
|
|
|
allow munin_t munin_etc_t:dir list_dir_perms;
|
|
read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
|
read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
|
|
files_search_etc(munin_t)
|
|
|
|
can_exec(munin_t, munin_exec_t)
|
|
|
|
manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
|
|
manage_files_pattern(munin_t, munin_log_t, munin_log_t)
|
|
logging_log_filetrans(munin_t, munin_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
|
manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
|
manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
|
|
files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
|
|
|
|
# Allow access to the munin databases
|
|
manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
files_search_var_lib(munin_t)
|
|
|
|
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|
manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|
files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
|
|
|
|
read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
|
|
|
|
kernel_read_system_state(munin_t)
|
|
kernel_read_network_state(munin_t)
|
|
kernel_read_all_sysctls(munin_t)
|
|
|
|
corecmd_exec_bin(munin_t)
|
|
corecmd_exec_shell(munin_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(munin_t)
|
|
corenet_all_recvfrom_netlabel(munin_t)
|
|
corenet_tcp_sendrecv_generic_if(munin_t)
|
|
corenet_udp_sendrecv_generic_if(munin_t)
|
|
corenet_tcp_sendrecv_generic_node(munin_t)
|
|
corenet_udp_sendrecv_generic_node(munin_t)
|
|
corenet_tcp_sendrecv_all_ports(munin_t)
|
|
corenet_udp_sendrecv_all_ports(munin_t)
|
|
corenet_tcp_bind_generic_node(munin_t)
|
|
corenet_tcp_bind_munin_port(munin_t)
|
|
corenet_tcp_connect_munin_port(munin_t)
|
|
corenet_tcp_connect_http_port(munin_t)
|
|
|
|
dev_read_sysfs(munin_t)
|
|
dev_read_urand(munin_t)
|
|
|
|
domain_use_interactive_fds(munin_t)
|
|
domain_read_all_domains_state(munin_t)
|
|
|
|
files_read_etc_files(munin_t)
|
|
files_read_etc_runtime_files(munin_t)
|
|
files_read_usr_files(munin_t)
|
|
files_list_spool(munin_t)
|
|
|
|
fs_getattr_all_fs(munin_t)
|
|
fs_search_auto_mountpoints(munin_t)
|
|
|
|
auth_use_nsswitch(munin_t)
|
|
|
|
logging_send_syslog_msg(munin_t)
|
|
logging_read_all_logs(munin_t)
|
|
|
|
miscfiles_read_fonts(munin_t)
|
|
miscfiles_read_localization(munin_t)
|
|
miscfiles_setattr_fonts_cache_dirs(munin_t)
|
|
|
|
sysnet_exec_ifconfig(munin_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
|
userdom_dontaudit_search_user_home_dirs(munin_t)
|
|
|
|
optional_policy(`
|
|
apache_content_template(munin)
|
|
|
|
manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
apache_search_sys_content(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(munin_t, munin_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_domtrans(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lpd_domtrans_lpr(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_read_config(munin_t)
|
|
mta_send_mail(munin_t)
|
|
mta_list_queue(munin_t)
|
|
mta_read_queue(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_read_config(munin_t)
|
|
mysql_stream_connect(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_domtrans_ping(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_list_spool(munin_t)
|
|
postfix_getattr_spool_files(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_search_nfs_state_data(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sendmail_read_log(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(munin_t)
|
|
')
|
|
|
|
###################################
|
|
#
|
|
# local policy for disk plugins
|
|
#
|
|
|
|
allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
|
|
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
corecmd_exec_shell(disk_munin_plugin_t)
|
|
|
|
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
|
|
|
|
files_read_etc_runtime_files(disk_munin_plugin_t)
|
|
|
|
dev_getattr_lvm_control(disk_munin_plugin_t)
|
|
dev_read_sysfs(disk_munin_plugin_t)
|
|
dev_read_urand(disk_munin_plugin_t)
|
|
|
|
storage_raw_read_fixed_disk(disk_munin_plugin_t)
|
|
|
|
sysnet_read_config(disk_munin_plugin_t)
|
|
|
|
optional_policy(`
|
|
hddtemp_exec(disk_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_exec(disk_munin_plugin_t)
|
|
')
|
|
|
|
####################################
|
|
#
|
|
# local policy for mail plugins
|
|
#
|
|
|
|
allow mail_munin_plugin_t self:capability dac_override;
|
|
|
|
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
dev_read_urand(mail_munin_plugin_t)
|
|
|
|
logging_read_generic_logs(mail_munin_plugin_t)
|
|
|
|
mta_read_config(mail_munin_plugin_t)
|
|
mta_send_mail(mail_munin_plugin_t)
|
|
mta_list_queue(mail_munin_plugin_t)
|
|
mta_read_queue(mail_munin_plugin_t)
|
|
|
|
optional_policy(`
|
|
postfix_read_config(mail_munin_plugin_t)
|
|
postfix_list_spool(mail_munin_plugin_t)
|
|
postfix_getattr_spool_files(mail_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sendmail_read_log(mail_munin_plugin_t)
|
|
')
|
|
|
|
###################################
|
|
#
|
|
# local policy for service plugins
|
|
#
|
|
|
|
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
allow services_munin_plugin_t self:udp_socket create_socket_perms;
|
|
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
corenet_tcp_connect_all_ports(services_munin_plugin_t)
|
|
corenet_tcp_connect_http_port(services_munin_plugin_t)
|
|
|
|
dev_read_urand(services_munin_plugin_t)
|
|
dev_read_rand(services_munin_plugin_t)
|
|
|
|
sysnet_read_config(services_munin_plugin_t)
|
|
|
|
optional_policy(`
|
|
cups_stream_connect(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lpd_exec_lpr(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_read_config(services_munin_plugin_t)
|
|
mysql_stream_connect(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_domtrans_ping(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
varnishd_read_lib_files(services_munin_plugin_t)
|
|
')
|
|
|
|
##################################
|
|
#
|
|
# local policy for system plugins
|
|
#
|
|
|
|
allow system_munin_plugin_t self:udp_socket create_socket_perms;
|
|
|
|
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
kernel_read_network_state(system_munin_plugin_t)
|
|
kernel_read_all_sysctls(system_munin_plugin_t)
|
|
|
|
dev_read_sysfs(system_munin_plugin_t)
|
|
dev_read_urand(system_munin_plugin_t)
|
|
|
|
domain_read_all_domains_state(system_munin_plugin_t)
|
|
|
|
# needed by users plugin
|
|
init_read_utmp(system_munin_plugin_t)
|
|
|
|
sysnet_exec_ifconfig(system_munin_plugin_t)
|
|
|
|
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
|
term_getattr_all_ptys(system_munin_plugin_t)
|
|
|
|
################################
|
|
#
|
|
# local policy for munin plugin domains
|
|
#
|
|
|
|
allow munin_plugin_domain munin_exec_t:file read_file_perms;
|
|
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
|
|
|
|
# creates plugin state files
|
|
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
|
|
|
|
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
|
|
|
|
kernel_read_system_state(munin_plugin_domain)
|
|
|
|
corecmd_exec_bin(munin_plugin_domain)
|
|
corecmd_exec_shell(munin_plugin_domain)
|
|
|
|
files_read_etc_files(munin_plugin_domain)
|
|
files_read_usr_files(munin_plugin_domain)
|
|
|
|
fs_getattr_all_fs(munin_plugin_domain)
|
|
|
|
miscfiles_read_localization(munin_plugin_domain)
|