commit: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Dec 26 09:25:59 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:52 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4
munin: disk-plugin: transition to fsadm
smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to
the correct domain.
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/munin.if | 17 +++++++++++++++++
policy/modules/services/munin.te | 6 +++---
policy/modules/system/fstools.te | 4 ++++
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e..de654d4ea 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
admin_pattern($1, httpd_munin_content_t)
')
+
+########################################
+## <summary>
+## Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+ gen_require(`
+ type munin_t;
+ ')
+ allow $1 munin_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542a..9fc77c8e9 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
allow munin_plugin_domain self:process signal;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
miscfiles_read_localization(munin_plugin_domain)
+munin_rw_tcp_sockets(munin_plugin_domain)
+
optional_policy(`
nscd_use(munin_plugin_domain)
')
@@ -260,7 +260,7 @@ optional_policy(`
')
optional_policy(`
- fstools_exec(disk_munin_plugin_t)
+ fstools_domtrans(disk_munin_plugin_t)
')
####################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc4..079aacad3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
modutils_read_module_deps(fsadm_t)
')
+optional_policy(`
+ munin_rw_tcp_sockets(fsadm_t)
+')
+
optional_policy(`
nis_use_ypbind(fsadm_t)
')
