Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1483454 Details for
Bug 1164245
Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Munin patch for rhel 7.5 munin policy
policy-contrib-munin.patch (text/plain), 25.54 KB, created by
Tuomo Soini
on 2018-09-15 07:52:15 UTC
(
hide
)
Description:
Munin patch for rhel 7.5 munin policy
Filename:
MIME Type:
Creator:
Tuomo Soini
Created:
2018-09-15 07:52:15 UTC
Size:
25.54 KB
patch
obsolete
># munin-graph needs access to fonts_cache_t >type=AVC msg=audit(1308069667.246:21542): avc: denied { setattr } for pid=6408 comm="munin-graph" name="fontconfig" dev=dm-0 ino=2884069 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir > ># amavischilds plugin >type=AVC msg=audit(1413817080.739:546681): avc: denied { execute } for pid=25082 comm="amavischilds" name="amavisd-nanny" dev=dm-0 ino=1575712 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file >type=AVC msg=audit(1413817080.739:546681): avc: denied { read open } for pid=25082 comm="amavischilds" name="amavisd-nanny" dev=dm-0 ino=1575712 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file >type=AVC msg=audit(1413817080.739:546681): avc: denied { execute_no_trans } for pid=25082 comm="amavischilds" path="/usr/sbin/amavisd-nanny" dev=dm-0 ino=1575712 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file >type=AVC msg=audit(1413817080.760:546682): avc: denied { ioctl } for pid=25082 comm="amavisd-nanny" path="/usr/sbin/amavisd-nanny" dev=dm-0 ino=1575712 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file >type=AVC msg=audit(1413817080.760:546683): avc: denied { getattr } for pid=25082 comm="amavisd-nanny" path="/usr/sbin/amavisd-nanny" dev=dm-0 ino=1575712 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file >type=AVC msg=audit(1413817080.801:546684): avc: denied { getattr } for pid=25082 comm="amavisd-nanny" path="/var/lib/amavis/db/nanny.db" dev=dm-0 ino=3955095 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=unconfined_u:object_r:antivirus_db_t:s0 tclass=file >type=AVC msg=audit(1413817080.802:546685): avc: denied { read write } for pid=25082 comm="amavisd-nanny" name="__db.001" dev=dm-0 ino=3934533 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=unconfined_u:object_r:antivirus_db_t:s0 tclass=file >type=AVC msg=audit(1413817080.802:546685): avc: denied { open } for pid=25082 comm="amavisd-nanny" name="__db.001" dev=dm-0 ino=3934533 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=unconfined_u:object_r:antivirus_db_t:s0 tclass=file >type=AVC msg=audit(1413817080.803:546686): avc: denied { signull } for pid=25082 comm="amavisd-nanny" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=unconfined_u:system_r:antivirus_t:s0 tclass=process > ># amavisdstats plugin >type=AVC msg=audit(1413820980.776:875): avc: denied { read } for pid=18214 comm="amavisd-agent" name="__db.001" dev=dm-0 ino=3934829 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_db_t:s0 tclass=file > ># postfix mailstats plugin >u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket >type=AVC msg=audit(1349540418.487:181885): avc: denied { ioctl } for pid=21085 comm="postconf" path="socket:[4446963]" dev=sockfs ino=4446963 scontext=unconfined_u:system_r:mail_munin_plugin_t:s0 tcontext=unconfined_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket >type=AVC msg=audit(1429043883.477:90292): avc: denied { create } for pid=7209 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=udp_socket >type=AVC msg=audit(1429043883.477:90293): avc: denied { connect } for pid=7209 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=udp_socket >type=AVC msg=audit(1429043883.477:90294): avc: denied { getattr } for pid=7209 comm="postconf" laddr=127.0.0.1 lport=45222 faddr=127.0.0.1 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=udp_socket >type=AVC msg=audit(1429343283.030:1502815): avc: denied { read } for pid=28730 comm="postconf" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file > ># mysql_ plugin >type=AVC msg=audit(1349459314.928:48996): avc: denied { read write } for pid=6659 comm="mysql_innodb_bp" path=2F535953563633363337303639202864656C6574656429 dev=tmpfs ino=0 scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file > ># munin needs pidof >type=AVC msg=audit(1354011215.009:105734): avc: denied { sys_ptrace } for pid=8832 comm="pidof" capability=19 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:system_r:munin_t:s0 tclass=capability > ># cpe_ plugin has been moved to services_munin_plugin_t >type=AVC msg=audit(1358165559.283:71223): avc: denied { execute } for pid=9142 comm="sh" name="ipvsadm" dev=dm-0 ino=6422698 scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file >type=AVC msg=audit(1358165559.283:71223): avc: denied { read open } for pid=9142 comm="sh" name="ipvsadm" dev=dm-0 ino=6422698 scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file >type=AVC msg=audit(1358165559.283:71223): avc: denied { execute_no_trans } for pid=9142 comm="sh" path="/sbin/ipvsadm" dev=dm-0 ino=6422698 scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file >type=AVC msg=audit(1358165559.288:71224): avc: denied { create } for pid=9142 comm="ipvsadm" scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=unconfined_u:system_r:munin_system_plugin_t:s0 tclass=netlink_socket >type=AVC msg=audit(1358165559.288:71225): avc: denied { setopt } for pid=9142 comm="ipvsadm" scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=unconfined_u:system_r:munin_system_plugin_t:s0 tclass=netlink_socket >type=AVC msg=audit(1358165559.288:71226): avc: denied { bind } for pid=9142 comm="ipvsadm" scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=unconfined_u:system_r:munin_system_plugin_t:s0 tclass=netlink_socket >type=AVC msg=audit(1358165559.288:71227): avc: denied { getattr } for pid=9142 comm="ipvsadm" scontext=unconfined_u:system_r:munin_system_plugin_t:s0 tcontext=unconfined_u:system_r:munin_system_plugin_t:s0 tclass=netlink_socket >type=AVC msg=audit(1460461680.968:1198416): avc: denied { create } for pid=21627 comm="cps_194.100.70." scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_route_socket >type=AVC msg=audit(1460461681.050:1198418): avc: denied { read } for pid=21630 comm="cps_194.100.70." name="resolv.conf" dev="dm-0" ino=67526862 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file >type=AVC msg=audit(1476959581.112:155796): avc: denied { nlmsg_read } for pid=15816 comm="cps_172.27.32.1" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_route_socket >type=AVC msg=audit(1476967380.831:158161): avc: denied { read } for pid=19866 comm="ipvsadm" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file >type=AVC msg=audit(1476967380.832:158162): avc: denied { net_admin } for pid=19866 comm="ipvsadm" capability=12 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:services_munin_plugin_t:s0 tclass=capability > ># cps_ doesn't need access to these >type=AVC msg=audit(1479142888.164:107): avc: denied { create } for pid=2017 comm="ipvsadm" scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:services_munin_plugin_t:s0 tclass=rawip_socket >type=AVC msg=audit(1479142888.164:108): avc: denied { execute } for pid=2018 comm="ipvsadm" name="kmod" dev="dm-0" ino=134350400 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file > ># memcached plugin >avc: denied { name_connect } for pid=20491 comm="memcachedstats" dest=11211 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket > ># munin-node >type=AVC msg=audit(1423513346.661:217476): avc: denied { net_admin } for pid=2786 comm="munin-node" capability=12 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:system_r:munin_t:s0 tclass=capability > ># munin-cgi-html >type=AVC audit(1429099449.683:13): avc: denied { ioctl } for pid=2681 comm="munin-cgi-html" path="socket:[33691]" dev="sockfs" ino=33691 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > ># munin-cgi-graph >type=AVC audit(1429099537.312:14): avc: denied { write } for pid=2680 comm="munin-cgi-graph" name="rrdcached.sock" dev="tmpfs" ino=22217 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_run_t:s0 tclass=sock_file > ># if_ plugin >type=AVC audit(1429099420.957:7): avc: denied { module_request } for pid=1658 comm="ethtool" kmod="netdev-heipv6" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system > ># tmpwatch cleanup munin_var_lib_t >type=AVC audit(1429150861.403:19): avc: denied { read } for pid=9650 comm="tmpwatch" name="cgi-tmp" dev="sdb3" ino=91494 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir >type=AVC audit(1429150861.411:20): avc: denied { setattr } for pid=9650 comm="tmpwatch" name="risa.bbbs.net" dev="sdb3" ino=92055 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir >type=AVC audit(1429150861.422:21): avc: denied { rmdir } for pid=9650 comm="tmpwatch" name="bbbs.net" dev="sdb3" ino=92054 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir > ># snmp plugin >type=AVC msg=audit(1432046608.757:1420): avc: denied { node_bind } for pid=22617 comm="snmp_foo-sw-02." scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket > ># unbound plugin >type=AVC msg=audit(1432311485.685:7751): avc: denied { execute } for pid=21998 comm="unbound_by_clas" name="unbound-control" dev="vda3" ino=1076047464 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_exec_t:s0 tclass=file >type=AVC msg=audit(1432311485.685:7751): avc: denied { read open } for pid=21998 comm="unbound_by_clas" path="/usr/sbin/unbound-control" dev="vda3" ino=1076047464 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_exec_t:s0 tclass=file >type=AVC msg=audit(1432311485.685:7751): avc: denied { execute_no_trans } for pid=21998 comm="unbound_by_clas" path="/usr/sbin/unbound-control" dev="vda3" ino=1076047464 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_exec_t:s0 tclass=file >type=AVC msg=audit(1483990688.647:457738): avc: denied { read } for pid=730 comm="cat" name="unbound.pid" dev="tmpfs" ino=22113299 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file >type=AVC msg=audit(1483990688.647:457738): avc: denied { open } for pid=730 comm="cat" path="/run/unbound/unbound.pid" dev="tmpfs" ino=22113299 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file >type=AVC msg=audit(1483990688.648:457739): avc: denied { getattr } for pid=730 comm="cat" path="/run/unbound/unbound.pid" dev="tmpfs" ino=22113299 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file > ># mongo_* plugins using pymongo trigger this >type=AVC msg=audit(1435585084.323:298861): avc: denied { execute } for pid=14493 comm="sh" name="ldconfig" dev="sdb3" ino=987710 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file >type=AVC msg=audit(1435585084.323:298861): avc: denied { read open } for pid=14493 comm="sh" path="/usr/sbin/ldconfig" dev="sdb3" ino=987710 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file >type=AVC msg=audit(1435585084.323:298861): avc: denied { execute_no_trans } for pid=14493 comm="sh" path="/usr/sbin/ldconfig" dev="sdb3" ino=987710 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file > ># df plugin needs these to read restricted filesystems >type=AVC msg=audit(1466683081.324:714659): avc: denied { dac_override } for pid=9307 comm="df" capability=1 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:system_r:disk_munin_plugin_t:s0 tclass=capability >type=AVC msg=audit(1466683081.324:714659): avc: denied { dac_read_search } for pid=9307 comm="df" capability=2 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:system_r:disk_munin_plugin_t:s0 tclass=capability >type=AVC msg=audit(1466686082.334:715540): avc: denied { search } for pid=17343 comm="df" name="amavisd" dev="vda3" ino=403292294 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:antivirus_db_t:s0 tclass=dir > ># runnin munin-cgi-html and munin-cgi-graph via systemd socket activation >type=AVC msg=audit(1482052660.147:183677): avc: denied { connectto } for pid=7391 comm="nginx" path="/run/munin/munin-cgi-html.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket > ># services_munin_plugin_t need to be able to read process states, sample: >type=AVC msg=audit(1483994000.134:389417): avc: denied { getattr } for pid=2275 comm="ps" path="/proc/14024" dev="proc" ino=16523233 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=dir >type=AVC msg=audit(1483994000.134:389418): avc: denied { search } for pid=2275 comm="ps" name="14024" dev="proc" ino=16523233 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=dir >type=AVC msg=audit(1483994000.134:389418): avc: denied { read } for pid=2275 comm="ps" name="stat" dev="proc" ino=16523234 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=file >type=AVC msg=audit(1483994000.134:389418): avc: denied { open } for pid=2275 comm="ps" path="/proc/14024/stat" dev="proc" ino=16523234 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=file > >diff -up serefpolicy-contrib-3.13.1/munin.fc.munin serefpolicy-contrib-3.13.1/munin.fc >--- serefpolicy-contrib-3.13.1/munin.fc.munin 2018-04-10 11:32:45.997440910 +0300 >+++ serefpolicy-contrib-3.13.1/munin.fc 2018-04-10 11:32:46.721326510 +0300 >@@ -15,6 +15,7 @@ > /usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) > > # mail plugins >+/usr/share/munin/plugins/amavis.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) >@@ -25,10 +26,14 @@ > > # services plugins > /usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/apc_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/cps_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/memcached.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/mongo.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >@@ -39,9 +44,12 @@ > /usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/squeezebox_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/unbound_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/varnish.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) >+/usr/share/munin/plugins/weather_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) > > # selinux plugins > /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) >@@ -73,6 +81,7 @@ > /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) > /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) > /var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0) >+/var/www/html/munin/.*/.*(/.*)? gen_context(system_u:object_r:munin_rw_content_t,s0) > /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0) > /var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) > /var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) >diff -up serefpolicy-contrib-3.13.1/munin.if.munin serefpolicy-contrib-3.13.1/munin.if >--- serefpolicy-contrib-3.13.1/munin.if.munin 2018-04-10 11:32:45.998440752 +0300 >+++ serefpolicy-contrib-3.13.1/munin.if 2018-04-10 11:32:46.722326352 +0300 >@@ -126,6 +126,7 @@ interface(`munin_manage_var_lib_files',` > ') > > files_search_var_lib($1) >+ manage_dirs_pattern($1, munin_var_lib_t, munin_var_lib_t) > manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t) > ') > >diff -up serefpolicy-contrib-3.13.1/munin.te.munin serefpolicy-contrib-3.13.1/munin.te >--- serefpolicy-contrib-3.13.1/munin.te.munin 2018-04-10 11:32:45.999440594 +0300 >+++ serefpolicy-contrib-3.13.1/munin.te 2018-04-10 11:35:50.217327541 +0300 >@@ -88,8 +88,8 @@ optional_policy(` > # Local policy > # > >-allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio }; >-dontaudit munin_t self:capability sys_tty_config; >+allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio sys_ptrace }; >+dontaudit munin_t self:capability { net_admin sys_tty_config }; > allow munin_t self:process { getsched setsched signal_perms }; > allow munin_t self:unix_stream_socket { accept connectto listen }; > allow munin_t self:unix_dgram_socket sendto; >@@ -119,6 +119,8 @@ manage_lnk_files_pattern(munin_t, munin_ > > rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) > >+allow munin_t munin_plugin_state_t:dir { create add_name setattr write }; >+ > manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) > manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) > manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) >@@ -224,12 +226,17 @@ optional_policy(` > udev_read_db(munin_t) > ') > >+optional_policy(` >+ ssh_exec(munin_t) >+ corenet_tcp_connect_ssh_port(munin_t) >+') >+ > ################################### > # > # Disk local policy > # > >-allow disk_munin_plugin_t self:capability { sys_admin sys_rawio }; >+allow disk_munin_plugin_t self:capability { dac_override dac_read_search sys_admin sys_rawio }; > allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; > > rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) >@@ -255,6 +262,10 @@ storage_raw_read_fixed_disk(disk_munin_p > sysnet_read_config(disk_munin_plugin_t) > > optional_policy(` >+ antivirus_search_db(disk_munin_plugin_t) >+') >+ >+optional_policy(` > hddtemp_exec(disk_munin_plugin_t) > ') > >@@ -272,6 +283,7 @@ optional_policy(` > # > > allow mail_munin_plugin_t self:capability { dac_read_search dac_override }; >+allow mail_munin_plugin_t self:unix_dgram_socket create_socket_perms; > > allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; > allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; >@@ -280,6 +292,7 @@ allow mail_munin_plugin_t self:udp_socke > rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) > > kernel_read_net_sysctls(mail_munin_plugin_t) >+kernel_read_network_state(mail_munin_plugin_t) > > dev_read_urand(mail_munin_plugin_t) > >@@ -299,6 +312,12 @@ optional_policy(` > ') > > optional_policy(` >+ antivirus_rw_db(mail_munin_plugin_t) >+ antivirus_exec(mail_munin_plugin_t) >+ antivirus_signal(mail_munin_plugin_t) >+') >+ >+optional_policy(` > nscd_socket_use(mail_munin_plugin_t) > ') > >@@ -324,11 +343,15 @@ selinux_get_enforce_mode(selinux_munin_p > # Service local policy > # > >-allow services_munin_plugin_t self:shm create_sem_perms; >+dontaudit services_munin_plugin_t self:capability { net_admin }; >+allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; >+allow services_munin_plugin_t self:netlink_socket create_socket_perms; > allow services_munin_plugin_t self:sem create_sem_perms; >+allow services_munin_plugin_t self:shm create_sem_perms; > allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; > allow services_munin_plugin_t self:udp_socket create_socket_perms; >-allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; >+allow services_munin_plugin_t munin_var_lib_t:dir search_dir_perms; >+iptables_exec(services_munin_plugin_t) > > manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) > manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) >@@ -338,14 +361,27 @@ corenet_sendrecv_all_client_packets(serv > corenet_tcp_connect_all_ports(services_munin_plugin_t) > corenet_tcp_connect_http_port(services_munin_plugin_t) > corenet_tcp_sendrecv_all_ports(services_munin_plugin_t) >+corenet_udp_bind_generic_node(services_munin_plugin_t) > > dev_read_urand(services_munin_plugin_t) > dev_read_rand(services_munin_plugin_t) > >+libs_exec_ldconfig(services_munin_plugin_t) >+ > sysnet_read_config(services_munin_plugin_t) > >+kernel_read_network_state(services_munin_plugin_t) >+kernel_dontaudit_request_load_module(services_munin_plugin_t) >+domain_read_all_domains_state(services_munin_plugin_t) >+ >+# cps_ plugin >+dontaudit services_munin_plugin_t self:rawip_socket create; >+modutils_dontaudit_exec_insmod(services_munin_plugin_t) >+ > optional_policy(` >+ bind_exec(services_munin_plugin_t) > bind_read_config(services_munin_plugin_t) >+ bind_read_pid_files(services_munin_plugin_t) > ') > > optional_policy(` >@@ -399,12 +435,15 @@ optional_policy(` > # System local policy > # > >+dontaudit system_munin_plugin_t self:capability { net_admin }; >+ > allow system_munin_plugin_t self:udp_socket create_socket_perms; > > rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) > > read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) > >+kernel_dontaudit_request_load_module(system_munin_plugin_t) > kernel_read_network_state(system_munin_plugin_t) > kernel_read_all_sysctls(system_munin_plugin_t) > kernel_read_fs_sysctls(system_munin_plugin_t) >@@ -446,23 +485,44 @@ optional_policy(` > apache_content_template(munin) > apache_content_alias_template(munin, munin) > >+# For running script directly from systemd >+init_daemon_domain(munin_script_t, munin_script_exec_t) >+ > manage_dirs_pattern(munin_t, munin_content_t, munin_content_t) > manage_files_pattern(munin_t, munin_content_t, munin_content_t) > >+manage_dirs_pattern(munin_t, munin_rw_content_t, munin_rw_content_t) >+manage_files_pattern(munin_t, munin_rw_content_t, munin_rw_content_t) >+ > manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t) > manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t) > files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file }) > > read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t) > list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t) >+manage_dirs_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) >+manage_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) >+ >+manage_sock_files_pattern(munin_script_t, munin_var_run_t, munin_var_run_t) >+ > read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t) > >+getattr_dirs_pattern(httpd_munin_script_t, var_lib_t, var_lib_t) >+ >+miscfiles_setattr_fonts_cache_dirs(httpd_munin_script_t) >+ >+allow httpd_munin_script_t self:sem create_sem_perms; >+ >+logging_log_filetrans(httpd_munin_script_t, munin_log_t, { file dir }) >+ > manage_files_pattern(munin_script_t, munin_log_t, munin_log_t) > > files_search_var_lib(munin_script_t) > > auth_read_passwd(munin_script_t) > >+init_dontaudit_rw_stream_socket(munin_script_t) >+ > optional_policy(` > apache_search_sys_content(munin_t) > ')
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1483454">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1164245
:
1483452
|
1483453
| 1483454 |
1483455