From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8CDA3138825 for ; Tue, 11 Nov 2014 13:23:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A845BE08F7; Tue, 11 Nov 2014 13:23:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2B70BE08F7 for ; Tue, 11 Nov 2014 13:23:27 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E3866340439 for ; Tue, 11 Nov 2014 13:23:25 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8ABDE9EB0 for ; Tue, 11 Nov 2014 13:23:24 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1415712023.895d9f5db7c868d47665873f5ac4081fce64c906.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: man/man8/munin_selinux.8 policy/modules/contrib/munin.rst X-VCS-Directories: policy/modules/contrib/ man/man8/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 895d9f5db7c868d47665873f5ac4081fce64c906 X-VCS-Branch: master Date: Tue, 11 Nov 2014 13:23:24 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8d2412aa-3260-4f7a-a403-92e92d0490f3 X-Archives-Hash: a41d7e062f914e68f469db90194590ce commit: 895d9f5db7c868d47665873f5ac4081fce64c906 Author: Sven Vermeulen siphos be> AuthorDate: Tue Nov 11 13:20:23 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Tue Nov 11 13:20:23 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=895d9f5d Add manual pages for munin SELinux policy, supports bug #526532 --- man/man8/munin_selinux.8 | 177 +++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/munin.rst | 130 ++++++++++++++++++++++++++++ 2 files changed, 307 insertions(+) diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8 new file mode 100644 index 0000000..99507b6 --- /dev/null +++ b/man/man8/munin_selinux.8 @@ -0,0 +1,177 @@ +.\" Man page generated from reStructuredText. +. +.TH MUNIN_SELINUX 8 "2014-11-11" "" "SELinux" +.SH NAME +munin_selinux \- SELinux policy module for Munin +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The \fImunin\fP SELinux module supports the Munin networked resource management +tool. +.SH DOMAINS +.sp +The following is a list of munin related domains. +.INDENT 0.0 +.TP +.B munin_t +is the main domain for the munin daemon +.TP +.B \(aq*\(aq_munin_plugin_t +is a set of domains related to the munin plugins +.UNINDENT +.SH LOCATIONS +.sp +The following list of locations identify file resources that are used by the +munin domains. They are by default allocated towards the default locations for +munin, so if you use a different location, you will need to properly address +this. You can do so through \fBsemanage\fP, like so: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +semanage fcontext \-a \-t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?" +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The above example marks the \fI/usr/local/share/munin/plugins\fP location as the location where +munin plugin executables are stored. +.SS FUNCTIONAL +.INDENT 0.0 +.TP +.B munin_etc_t +is used for the munin configuration files +.UNINDENT +.SS EXECUTABLES +.INDENT 0.0 +.TP +.B munin_exec_t +is used for the munin binaries +.TP +.B munin_initrc_exec_t +is used for the munin init script +.TP +.B \(aq*\(aq_munin_plugin_exec_t +is used for the munin plugin executables +.UNINDENT +.SS DAEMON FILES +.INDENT 0.0 +.TP +.B munin_log_t +is used for the munin logs +.TP +.B munin_plugin_state_t +is used for the munin plugin state information +.TP +.B munin_var_lib_t +is used for the variable information used by munin +.TP +.B munin_var_run_t +is used for the variable runtime state information of munin +.UNINDENT +.SH POLICY +.sp +The following interfaces can be used to enhance the default policy with +munin\-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. +.SS Plugin template +.sp +With the \fBmunin_plugin_template\fP interface, additional munin plugin domains +can be created. The interface takes a single prefix (like "disk") and will create +the proper types and privileges, including (using "disk" as the example): +.INDENT 0.0 +.IP \(bu 2 +\fIdisk_munin_plugin_t\fP as plugin domain +.IP \(bu 2 +\fIdisk_munin_plugin_exec_t\fP as plugin executable type +.IP \(bu 2 +\fIdisk_munin_plugin_tmp_t\fP as plugin temporary file type +.UNINDENT +.sp +To enable it: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +munin_plugin_template(disk) +.ft P +.fi +.UNINDENT +.UNINDENT +.SS Administrative role +.sp +The \fBmunin_admin\fP interface grants a user role and type administrative access +to the munin types: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +munin_admin(myuser_t, myuser_r) +.ft P +.fi +.UNINDENT +.UNINDENT +.SH BUGS +.SS Munin +.sp +The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user +cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant to +be executed as the munin Linux account, but the jobs themselves are best seen +as system cronjobs (as they are not related to a true interactive end user). +.sp +The default deployed files do not get the \fIsystem_u\fP SELinux ownership +assigned. To fix this, execute the following command: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +~# chcon \-u system_u /var/spool/cron/crontabs/munin +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +For more information, see bug #526532. +.SH SEE ALSO +.INDENT 0.0 +.IP \(bu 2 +Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP +.IP \(bu 2 +Gentoo Hardened SELinux Project at +\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP +.UNINDENT +.SH AUTHOR +Sven Vermeulen +.\" Generated by docutils manpage writer. +. diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst new file mode 100644 index 0000000..3819024 --- /dev/null +++ b/policy/modules/contrib/munin.rst @@ -0,0 +1,130 @@ +============= +munin_selinux +============= + +------------------------------- +SELinux policy module for Munin +------------------------------- + +:Author: Sven Vermeulen +:Date: 2014-11-11 +:Manual section: 8 +:Manual group: SELinux + +DESCRIPTION +=========== + +The *munin* SELinux module supports the Munin networked resource management +tool. + +DOMAINS +======= + +The following is a list of munin related domains. + +munin_t + is the main domain for the munin daemon + +'*'_munin_plugin_t + is a set of domains related to the munin plugins + +LOCATIONS +========= + +The following list of locations identify file resources that are used by the +munin domains. They are by default allocated towards the default locations for +munin, so if you use a different location, you will need to properly address +this. You can do so through ``semanage``, like so:: + + semanage fcontext -a -t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?" + +The above example marks the */usr/local/share/munin/plugins* location as the location where +munin plugin executables are stored. + +FUNCTIONAL +---------- + +munin_etc_t + is used for the munin configuration files + +EXECUTABLES +----------- + +munin_exec_t + is used for the munin binaries + +munin_initrc_exec_t + is used for the munin init script + +'*'_munin_plugin_exec_t + is used for the munin plugin executables + +DAEMON FILES +------------ + +munin_log_t + is used for the munin logs + +munin_plugin_state_t + is used for the munin plugin state information + +munin_var_lib_t + is used for the variable information used by munin + +munin_var_run_t + is used for the variable runtime state information of munin + +POLICY +====== + +The following interfaces can be used to enhance the default policy with +munin-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. + +Plugin template +--------------- + +With the ``munin_plugin_template`` interface, additional munin plugin domains +can be created. The interface takes a single prefix (like "disk") and will create +the proper types and privileges, including (using "disk" as the example): + +* *disk_munin_plugin_t* as plugin domain +* *disk_munin_plugin_exec_t* as plugin executable type +* *disk_munin_plugin_tmp_t* as plugin temporary file type + +To enable it:: + + munin_plugin_template(disk) + +Administrative role +------------------- + +The ``munin_admin`` interface grants a user role and type administrative access +to the munin types:: + + munin_admin(myuser_t, myuser_r) + +BUGS +==== + +Munin +----- + +The ``net-analyzer/munin`` package deploys the munin cronjobs as end user +cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to +be executed as the munin Linux account, but the jobs themselves are best seen +as system cronjobs (as they are not related to a true interactive end user). + +The default deployed files do not get the *system_u* SELinux ownership +assigned. To fix this, execute the following command:: + + ~# chcon -u system_u /var/spool/cron/crontabs/munin + +For more information, see bug #526532. + +SEE ALSO +======== + +* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux +* Gentoo Hardened SELinux Project at + https://wiki.gentoo.org/wiki/Project:Hardened