1 |
commit: 63a3fc2863f04cafbd4f160861133e064764b0d4 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Tue Mar 14 15:01:16 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Mar 30 14:00:10 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28 |
7 |
|
8 |
monit: add syslog access and support for monit systemd service |
9 |
|
10 |
policy/modules/contrib/monit.if | 8 ++++---- |
11 |
policy/modules/contrib/monit.te | 3 +++ |
12 |
2 files changed, 7 insertions(+), 4 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if |
15 |
index 6107ef9d..d249dfbd 100644 |
16 |
--- a/policy/modules/contrib/monit.if |
17 |
+++ b/policy/modules/contrib/monit.if |
18 |
@@ -58,10 +58,10 @@ interface(`monit_run_cli',` |
19 |
interface(`monit_reload',` |
20 |
gen_require(` |
21 |
class service { reload status }; |
22 |
- type monit_initrc_exec_t; |
23 |
+ type monit_initrc_exec_t, monit_unit_t; |
24 |
') |
25 |
|
26 |
- allow $1 monit_initrc_exec_t:service { reload status }; |
27 |
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status }; |
28 |
') |
29 |
|
30 |
######################################## |
31 |
@@ -77,10 +77,10 @@ interface(`monit_reload',` |
32 |
interface(`monit_startstop_service',` |
33 |
gen_require(` |
34 |
class service { start status stop }; |
35 |
- type monit_initrc_exec_t; |
36 |
+ type monit_initrc_exec_t, monit_unit_t; |
37 |
') |
38 |
|
39 |
- allow $1 monit_initrc_exec_t:service { start status stop }; |
40 |
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop }; |
41 |
') |
42 |
|
43 |
######################################## |
44 |
|
45 |
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te |
46 |
index 470c44f4..feedbd7e 100644 |
47 |
--- a/policy/modules/contrib/monit.te |
48 |
+++ b/policy/modules/contrib/monit.te |
49 |
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin; |
50 |
allow monit_t self:fifo_file rw_fifo_file_perms; |
51 |
allow monit_t self:rawip_socket connected_socket_perms; |
52 |
allow monit_t self:tcp_socket server_stream_socket_perms; |
53 |
+allow monit_t self:unix_dgram_socket { connect create }; |
54 |
|
55 |
allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; |
56 |
logging_log_filetrans(monit_t, monit_log_t, file) |
57 |
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t) |
58 |
|
59 |
files_read_all_pids(monit_t) |
60 |
|
61 |
+logging_send_syslog_msg(monit_t) |
62 |
+ |
63 |
ifdef(`hide_broken_symptoms',` |
64 |
# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 |
65 |
dontaudit monit_t self:capability dac_override; |