Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/munin.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/munin.if')
-rw-r--r--policy/modules/services/munin.if194
1 files changed, 194 insertions, 0 deletions
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
new file mode 100644
index 00000000..cd674994
--- /dev/null
+++ b/policy/modules/services/munin.if
@@ -0,0 +1,194 @@
+## <summary>Munin network-wide load graphing.</summary>
+
+#######################################
+## <summary>
+## The template to define a munin plugin domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`munin_plugin_template',`
+ gen_require(`
+ attribute munin_plugin_domain, munin_plugin_tmp_content;
+ type munin_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+ application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+ role system_r types $1_munin_plugin_t;
+
+ type $1_munin_plugin_tmp_t, munin_plugin_tmp_content;
+ typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+ files_tmp_file($1_munin_plugin_tmp_t)
+
+ ########################################
+ #
+ # Policy
+ #
+
+ domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+
+ manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+')
+
+########################################
+## <summary>
+## Connect to munin over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_stream_connect',`
+ gen_require(`
+ type munin_var_run_t, munin_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
+')
+
+#######################################
+## <summary>
+## Read munin configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_read_config',`
+ gen_require(`
+ type munin_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+## Append munin log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+#######################################
+## <summary>
+## Search munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ allow $1 munin_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to search
+## munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an munin environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+ gen_require(`
+ attribute munin_plugin_domain, munin_plugin_tmp_content;
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
+ ')
+
+ allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { munin_plugin_domain munin_t })
+
+ init_startstop_service($1, $2, munin_t, munin_initrc_exec_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content })
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, { munin_var_lib_t munin_plugin_state_t })
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')