Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/munin.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/munin.if')
-rw-r--r--policy/modules/contrib/munin.if203
1 files changed, 203 insertions, 0 deletions
diff --git a/policy/modules/contrib/munin.if b/policy/modules/contrib/munin.if
new file mode 100644
index 000000000..c358d8fb4
--- /dev/null
+++ b/policy/modules/contrib/munin.if
@@ -0,0 +1,203 @@
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## munin plugins,
+## </summary>
+## <param name="prefix">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`munin_plugin_template',`
+ gen_require(`
+ type munin_t, munin_exec_t, munin_etc_t;
+ ')
+
+ type $1_munin_plugin_t;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+ application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+ role system_r types $1_munin_plugin_t;
+
+ type $1_munin_plugin_tmp_t;
+ typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+ files_tmp_file($1_munin_plugin_tmp_t)
+
+ allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+
+ allow $1_munin_plugin_t munin_exec_t:file read_file_perms;
+ allow $1_munin_plugin_t munin_t:tcp_socket rw_socket_perms;
+
+ read_lnk_files_pattern($1_munin_plugin_t, munin_etc_t, munin_etc_t)
+
+ kernel_read_system_state($1_munin_plugin_t)
+
+ corecmd_exec_bin($1_munin_plugin_t)
+
+ miscfiles_read_localization($1_munin_plugin_t)
+')
+
+########################################
+## <summary>
+## Connect to munin over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_stream_connect',`
+ gen_require(`
+ type munin_var_run_t, munin_t;
+ ')
+
+ allow $1 munin_t:unix_stream_socket connectto;
+ allow $1 munin_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#######################################
+## <summary>
+## Read munin configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_read_config',`
+ gen_require(`
+ type munin_etc_t;
+ ')
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+ allow $1 munin_etc_t:lnk_file { getattr read };
+ files_search_etc($1)
+')
+
+#######################################
+## <summary>
+## Append to the munin log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+#######################################
+## <summary>
+## Search munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ allow $1 munin_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to search
+## munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an munin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the munin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t;
+ type munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, munin_t)
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 munin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, munin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, munin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')