From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1486285-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 41897158010
	for <garchives@archives.gentoo.org>; Mon, 13 Feb 2023 15:35:33 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 86EADE07EA;
	Mon, 13 Feb 2023 15:35:31 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 6B28EE07EA
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Feb 2023 15:35:31 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4C436335D3B
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Feb 2023 15:35:30 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 24E9B8B1
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Feb 2023 15:35:27 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1676301592.e19a19f4bb6fdd3d55ee981413ee48bd34f4860a.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/munin.if policy/modules/services/munin.te policy/modules/system/fstools.te
X-VCS-Directories: policy/modules/services/ policy/modules/system/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
X-VCS-Branch: master
Date: Mon, 13 Feb 2023 15:35:27 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 440060af-1fa6-442d-b129-dee2255a23cc
X-Archives-Hash: c7c33fe8e6a7e88a1c75bba5cab6cdaf

commit:     e19a19f4bb6fdd3d55ee981413ee48bd34f4860a
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Dec 26 09:25:59 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4

munin: disk-plugin: transition to fsadm

smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain.
But lot of rules are still missing for a correct smartctl execution.
Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/munin.if | 17 +++++++++++++++++
 policy/modules/services/munin.te |  6 +++---
 policy/modules/system/fstools.te |  4 ++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index 9cf4cb20e..de654d4ea 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -189,3 +189,20 @@ interface(`munin_admin',`
 
 	admin_pattern($1, httpd_munin_content_t)
 ')
+
+########################################
+## <summary>
+##	Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+	gen_require(`
+		type munin_t;
+	')
+	allow $1 munin_t:tcp_socket rw_socket_perms;
+')

diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 2e6b1542a..9fc77c8e9 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -52,8 +52,6 @@ munin_plugin_template(unconfined)
 allow munin_plugin_domain self:process signal;
 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
 
-allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-
 read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
 
 allow munin_plugin_domain munin_exec_t:file read_file_perms;
@@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain)
 
 miscfiles_read_localization(munin_plugin_domain)
 
+munin_rw_tcp_sockets(munin_plugin_domain)
+
 optional_policy(`
 	nscd_use(munin_plugin_domain)
 ')
@@ -260,7 +260,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	fstools_exec(disk_munin_plugin_t)
+	fstools_domtrans(disk_munin_plugin_t)
 ')
 
 ####################################

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3d5525cc4..079aacad3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -208,6 +208,10 @@ optional_policy(`
 	modutils_read_module_deps(fsadm_t)
 ')
 
+optional_policy(`
+	munin_rw_tcp_sockets(fsadm_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')