[gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/

[Sven Vermeulen]

commit:     895d9f5db7c868d47665873f5ac4081fce64c906
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 13:20:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 13:20:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=895d9f5d

Add manual pages for munin SELinux policy, supports bug #526532

---
 man/man8/munin_selinux.8         | 177 +++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/munin.rst | 130 ++++++++++++++++++++++++++++
 2 files changed, 307 insertions(+)

diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
new file mode 100644
index 0000000..99507b6
--- /dev/null
+++ b/man/man8/munin_selinux.8
@@ -0,0 +1,177 @@
+.\" Man page generated from reStructuredText.
+.
+.TH MUNIN_SELINUX 8 "2014-11-11" "" "SELinux"
+.SH NAME
+munin_selinux \- SELinux policy module for Munin
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fImunin\fP SELinux module supports the Munin networked resource management
+tool.
+.SH DOMAINS
+.sp
+The following is a list of munin related domains.
+.INDENT 0.0
+.TP
+.B munin_t
+is the main domain for the munin daemon
+.TP
+.B \(aq*\(aq_munin_plugin_t
+is a set of domains related to the munin plugins
+.UNINDENT
+.SH LOCATIONS
+.sp
+The following list of locations identify file resources that are used by the
+munin domains. They are by default allocated towards the default locations for
+munin, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/usr/local/share/munin/plugins\fP location as the location where
+munin plugin executables are stored.
+.SS FUNCTIONAL
+.INDENT 0.0
+.TP
+.B munin_etc_t
+is used for the munin configuration files
+.UNINDENT
+.SS EXECUTABLES
+.INDENT 0.0
+.TP
+.B munin_exec_t
+is used for the munin binaries
+.TP
+.B munin_initrc_exec_t
+is used for the munin init script
+.TP
+.B \(aq*\(aq_munin_plugin_exec_t
+is used for the munin plugin executables
+.UNINDENT
+.SS DAEMON FILES
+.INDENT 0.0
+.TP
+.B munin_log_t
+is used for the munin logs
+.TP
+.B munin_plugin_state_t
+is used for the munin plugin state information
+.TP
+.B munin_var_lib_t
+is used for the variable information used by munin
+.TP
+.B munin_var_run_t
+is used for the variable runtime state information of munin
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+munin\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Plugin template
+.sp
+With the \fBmunin_plugin_template\fP interface, additional munin plugin domains
+can be created. The interface takes a single prefix (like "disk") and will create
+the proper types and privileges, including (using "disk" as the example):
+.INDENT 0.0
+.IP \(bu 2
+\fIdisk_munin_plugin_t\fP as plugin domain
+.IP \(bu 2
+\fIdisk_munin_plugin_exec_t\fP as plugin executable type
+.IP \(bu 2
+\fIdisk_munin_plugin_tmp_t\fP as plugin temporary file type
+.UNINDENT
+.sp
+To enable it:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_plugin_template(disk)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Administrative role
+.sp
+The \fBmunin_admin\fP interface grants a user role and type administrative access
+to the munin types:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_admin(myuser_t, myuser_r)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH BUGS
+.SS Munin
+.sp
+The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user
+cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+.sp
+The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+assigned. To fix this, execute the following command:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+~# chcon \-u system_u /var/spool/cron/crontabs/munin
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information, see bug #526532.
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.

diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst
new file mode 100644
index 0000000..3819024
--- /dev/null
+++ b/policy/modules/contrib/munin.rst
@@ -0,0 +1,130 @@
+=============
+munin_selinux
+=============
+
+-------------------------------
+SELinux policy module for Munin
+-------------------------------
+
+:Author:        Sven Vermeulen <swift@gentoo.org>
+:Date:          2014-11-11
+:Manual section:        8
+:Manual group:          SELinux
+
+DESCRIPTION
+===========
+
+The *munin* SELinux module supports the Munin networked resource management
+tool. 
+
+DOMAINS
+=======
+
+The following is a list of munin related domains.
+
+munin_t
+  is the main domain for the munin daemon
+
+'*'_munin_plugin_t
+  is a set of domains related to the munin plugins
+
+LOCATIONS
+=========
+
+The following list of locations identify file resources that are used by the
+munin domains. They are by default allocated towards the default locations for
+munin, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+  semanage fcontext -a -t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?"
+
+The above example marks the */usr/local/share/munin/plugins* location as the location where
+munin plugin executables are stored.
+
+FUNCTIONAL
+----------
+
+munin_etc_t
+  is used for the munin configuration files
+
+EXECUTABLES
+-----------
+
+munin_exec_t
+  is used for the munin binaries
+
+munin_initrc_exec_t
+  is used for the munin init script
+
+'*'_munin_plugin_exec_t
+  is used for the munin plugin executables
+
+DAEMON FILES
+------------
+
+munin_log_t
+  is used for the munin logs
+
+munin_plugin_state_t
+  is used for the munin plugin state information
+
+munin_var_lib_t
+  is used for the variable information used by munin
+
+munin_var_run_t
+  is used for the variable runtime state information of munin
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+munin-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Plugin template
+---------------
+
+With the ``munin_plugin_template`` interface, additional munin plugin domains
+can be created. The interface takes a single prefix (like "disk") and will create
+the proper types and privileges, including (using "disk" as the example):
+
+* *disk_munin_plugin_t* as plugin domain
+* *disk_munin_plugin_exec_t* as plugin executable type
+* *disk_munin_plugin_tmp_t* as plugin temporary file type
+
+To enable it::
+
+  munin_plugin_template(disk)
+
+Administrative role
+-------------------
+
+The ``munin_admin`` interface grants a user role and type administrative access
+to the munin types::
+
+  munin_admin(myuser_t, myuser_r)
+
+BUGS
+====
+
+Munin
+-----
+
+The ``net-analyzer/munin`` package deploys the munin cronjobs as end user
+cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+
+The default deployed files do not get the *system_u* SELinux ownership
+assigned. To fix this, execute the following command::
+
+  ~# chcon -u system_u /var/spool/cron/crontabs/munin
+
+For more information, see bug #526532.
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+  https://wiki.gentoo.org/wiki/Project:Hardened

[gentoo-commits] proj/hardened-refpolicy:master commit in: man/man8/, policy/modules/contrib/

[Sven Vermeulen]

commit:     6f1b709ddb3b5e9d71ed8195849d9feb1752f9f4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 13:35:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 13:35:45 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f1b709d

Crontab fix for munin (workaround) is in policy

---
 man/man8/cron_selinux.8          | 2 +-
 man/man8/munin_selinux.8         | 2 +-
 policy/modules/contrib/cron.rst  | 2 +-
 policy/modules/contrib/munin.rst | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/man/man8/cron_selinux.8 b/man/man8/cron_selinux.8
index c3dd184..5444953 100644
--- a/man/man8/cron_selinux.8
+++ b/man/man8/cron_selinux.8
@@ -321,7 +321,7 @@ cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant t
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 .sp
-The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+The default deployed files might not get the \fIsystem_u\fP SELinux ownership
 assigned. To fix this, execute the following command:
 .INDENT 0.0
 .INDENT 3.5

diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
index 99507b6..29eb7aa 100644
--- a/man/man8/munin_selinux.8
+++ b/man/man8/munin_selinux.8
@@ -149,7 +149,7 @@ cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant t
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 .sp
-The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+The default deployed files might not get the \fIsystem_u\fP SELinux ownership
 assigned. To fix this, execute the following command:
 .INDENT 0.0
 .INDENT 3.5

diff --git a/policy/modules/contrib/cron.rst b/policy/modules/contrib/cron.rst
index caf0977..a35c26a 100644
--- a/policy/modules/contrib/cron.rst
+++ b/policy/modules/contrib/cron.rst
@@ -268,7 +268,7 @@ cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 
-The default deployed files do not get the *system_u* SELinux ownership
+The default deployed files might not get the *system_u* SELinux ownership
 assigned. To fix this, execute the following command::
 
   ~# chcon -u system_u /var/spool/cron/crontabs/munin

diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst
index 3819024..220c75e 100644
--- a/policy/modules/contrib/munin.rst
+++ b/policy/modules/contrib/munin.rst
@@ -115,7 +115,7 @@ cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
 be executed as the munin Linux account, but the jobs themselves are best seen
 as system cronjobs (as they are not related to a true interactive end user).
 
-The default deployed files do not get the *system_u* SELinux ownership
+The default deployed files might not get the *system_u* SELinux ownership
 assigned. To fix this, execute the following command::
 
   ~# chcon -u system_u /var/spool/cron/crontabs/munin