From: jason@perfinion.com (Jason Zaman)
Date: Fri, 13 May 2016 21:08:17 +0800
Subject: [refpolicy] [PATCH 1/2] collectd: update policy for 5.5
Message-ID: <1463144898-17748-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The ping module can use cap_net_raw instead of being suid.
Has a pid dir instead of file now.
A few accesses so that it can collect stats.
---
 collectd.fc | 1 +
 collectd.te | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/collectd.fc b/collectd.fc
index 79a3abe..58ac4e8 100644
--- a/collectd.fc
+++ b/collectd.fc
@@ -5,5 +5,6 @@
 /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
 
 /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
+/var/run/collectd(/.*)?		gen_context(system_u:object_r:collectd_var_run_t,s0)
 
 /usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
diff --git a/collectd.te b/collectd.te
index 0dfb1c5..245ccb8 100644
--- a/collectd.te
+++ b/collectd.te
@@ -33,10 +33,11 @@ apache_content_template(collectd)
 # Local policy
 #
 
-allow collectd_t self:capability { ipc_lock sys_nice };
+allow collectd_t self:capability { ipc_lock net_raw sys_nice };
 allow collectd_t self:process { getsched setsched signal };
 allow collectd_t self:fifo_file rw_fifo_file_perms;
 allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:rawip_socket create_socket_perms;
 allow collectd_t self:unix_stream_socket { accept listen };
 
 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -44,10 +45,12 @@ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
 files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
 
 manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
 
 domain_use_interactive_fds(collectd_t)
 
+kernel_read_kernel_sysctls(collectd_t)
 kernel_read_network_state(collectd_t)
 kernel_read_net_sysctls(collectd_t)
 kernel_read_system_state(collectd_t)
@@ -62,6 +65,8 @@ files_read_usr_files(collectd_t)
 
 fs_getattr_all_fs(collectd_t)
 
+init_read_utmp(collectd_t)
+
 miscfiles_read_localization(collectd_t)
 
 logging_send_syslog_msg(collectd_t)
-- 
2.7.3