[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Thu, 30 Mar 2017 10:07:19 -0700 

commit:     63a3fc2863f04cafbd4f160861133e064764b0d4
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 14 15:01:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 14:00:10 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28

monit: add syslog access and support for monit systemd service

 policy/modules/contrib/monit.if | 8 ++++----
 policy/modules/contrib/monit.te | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index 6107ef9d..d249dfbd 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -58,10 +58,10 @@ interface(`monit_run_cli',`
 interface(`monit_reload',`
        gen_require(`
                class service { reload status };
-               type monit_initrc_exec_t;
+               type monit_initrc_exec_t, monit_unit_t;
        ')
 
-       allow $1 monit_initrc_exec_t:service { reload status };
+       allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status };
 ')
 
 ########################################
@@ -77,10 +77,10 @@ interface(`monit_reload',`
 interface(`monit_startstop_service',`
        gen_require(`
                class service { start status stop };
-               type monit_initrc_exec_t;
+               type monit_initrc_exec_t, monit_unit_t;
        ')
 
-       allow $1 monit_initrc_exec_t:service { start status stop };
+       allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status 
stop };
 ')
 
 ########################################

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 470c44f4..feedbd7e 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin;
 allow monit_t self:fifo_file rw_fifo_file_perms;
 allow monit_t self:rawip_socket connected_socket_perms;
 allow monit_t self:tcp_socket server_stream_socket_perms;
+allow monit_t self:unix_dgram_socket { connect create };
 
 allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
 logging_log_filetrans(monit_t, monit_log_t, file)
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t)
 
 files_read_all_pids(monit_t)
 
+logging_send_syslog_msg(monit_t)
+
 ifdef(`hide_broken_symptoms',`
        # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
        dontaudit monit_t self:capability dac_override;

Reply via email to