From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
Date: Mon, 13 Feb 2023 15:35:27 +0000 (UTC) [thread overview]
Message-ID: <1676301592.e19a19f4bb6fdd3d55ee981413ee48bd34f4860a.concord@gentoo> (raw)
commit: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Dec 26 09:25:59 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:52 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4
munin: disk-plugin: transition to fsadm
smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain.
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/munin.if | 17 +++++++++++++++++
policy/modules/services/munin.te | 6 +++---
policy/modules/system/fstools.te | 4 ++++
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e..de654d4ea 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
admin_pattern($1, httpd_munin_content_t)
')
+
+########################################
+## <summary>
+## Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+ gen_require(`
+ type munin_t;
+ ')
+ allow $1 munin_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542a..9fc77c8e9 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
allow munin_plugin_domain self:process signal;
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
miscfiles_read_localization(munin_plugin_domain)
+munin_rw_tcp_sockets(munin_plugin_domain)
+
optional_policy(`
nscd_use(munin_plugin_domain)
')
@@ -260,7 +260,7 @@ optional_policy(`
')
optional_policy(`
- fstools_exec(disk_munin_plugin_t)
+ fstools_domtrans(disk_munin_plugin_t)
')
####################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc4..079aacad3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
modutils_read_module_deps(fsadm_t)
')
+optional_policy(`
+ munin_rw_tcp_sockets(fsadm_t)
+')
+
optional_policy(`
nis_use_ypbind(fsadm_t)
')
next reply other threads:[~2023-02-13 15:35 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-13 15:35 Kenton Groombridge [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-10-06 16:44 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/ Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2021-01-11 1:27 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2015-05-27 20:00 Jason Zaman
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1676301592.e19a19f4bb6fdd3d55ee981413ee48bd34f4860a.concord@gentoo \
--to=concord@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox