| 1 |
commit: 63a3fc2863f04cafbd4f160861133e064764b0d4 |
| 2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
| 3 |
AuthorDate: Tue Mar 14 15:01:16 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Mar 30 14:00:10 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63a3fc28 |
| 7 |
|
| 8 |
monit: add syslog access and support for monit systemd service |
| 9 |
|
| 10 |
policy/modules/contrib/monit.if | 8 ++++---- |
| 11 |
policy/modules/contrib/monit.te | 3 +++ |
| 12 |
2 files changed, 7 insertions(+), 4 deletions(-) |
| 13 |
|
| 14 |
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if |
| 15 |
index 6107ef9d..d249dfbd 100644 |
| 16 |
--- a/policy/modules/contrib/monit.if |
| 17 |
+++ b/policy/modules/contrib/monit.if |
| 18 |
@@ -58,10 +58,10 @@ interface(`monit_run_cli',` |
| 19 |
interface(`monit_reload',` |
| 20 |
gen_require(` |
| 21 |
class service { reload status }; |
| 22 |
- type monit_initrc_exec_t; |
| 23 |
+ type monit_initrc_exec_t, monit_unit_t; |
| 24 |
') |
| 25 |
|
| 26 |
- allow $1 monit_initrc_exec_t:service { reload status }; |
| 27 |
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status }; |
| 28 |
') |
| 29 |
|
| 30 |
######################################## |
| 31 |
@@ -77,10 +77,10 @@ interface(`monit_reload',` |
| 32 |
interface(`monit_startstop_service',` |
| 33 |
gen_require(` |
| 34 |
class service { start status stop }; |
| 35 |
- type monit_initrc_exec_t; |
| 36 |
+ type monit_initrc_exec_t, monit_unit_t; |
| 37 |
') |
| 38 |
|
| 39 |
- allow $1 monit_initrc_exec_t:service { start status stop }; |
| 40 |
+ allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop }; |
| 41 |
') |
| 42 |
|
| 43 |
######################################## |
| 44 |
|
| 45 |
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te |
| 46 |
index 470c44f4..feedbd7e 100644 |
| 47 |
--- a/policy/modules/contrib/monit.te |
| 48 |
+++ b/policy/modules/contrib/monit.te |
| 49 |
@@ -88,6 +88,7 @@ dontaudit monit_t self:capability net_admin; |
| 50 |
allow monit_t self:fifo_file rw_fifo_file_perms; |
| 51 |
allow monit_t self:rawip_socket connected_socket_perms; |
| 52 |
allow monit_t self:tcp_socket server_stream_socket_perms; |
| 53 |
+allow monit_t self:unix_dgram_socket { connect create }; |
| 54 |
|
| 55 |
allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; |
| 56 |
logging_log_filetrans(monit_t, monit_log_t, file) |
| 57 |
@@ -111,6 +112,8 @@ domain_read_all_domains_state(monit_t) |
| 58 |
|
| 59 |
files_read_all_pids(monit_t) |
| 60 |
|
| 61 |
+logging_send_syslog_msg(monit_t) |
| 62 |
+ |
| 63 |
ifdef(`hide_broken_symptoms',` |
| 64 |
# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 |
| 65 |
dontaudit monit_t self:capability dac_override; |
Archives