From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 16 May 2016 09:21:00 -0400
Subject: [refpolicy] [PATCH 1/2] collectd: update policy for 5.5
In-Reply-To: <1463144898-17748-1-git-send-email-jason@perfinion.com>
References: <1463144898-17748-1-git-send-email-jason@perfinion.com>
Message-ID: <9388e4b7-930c-7944-0b00-1efe6cc8efe7@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 5/13/2016 9:08 AM, Jason Zaman wrote:
> The ping module can use cap_net_raw instead of being suid.
> Has a pid dir instead of file now.
> A few accesses so that it can collect stats.

Merged.


> ---
>  collectd.fc | 1 +
>  collectd.te | 9 +++++++--
>  2 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/collectd.fc b/collectd.fc
> index 79a3abe..58ac4e8 100644
> --- a/collectd.fc
> +++ b/collectd.fc
> @@ -5,5 +5,6 @@
>  /var/lib/collectd(/.*)?	gen_context(system_u:object_r:collectd_var_lib_t,s0)
>  
>  /var/run/collectd\.pid	--	gen_context(system_u:object_r:collectd_var_run_t,s0)
> +/var/run/collectd(/.*)?		gen_context(system_u:object_r:collectd_var_run_t,s0)
>  
>  /usr/share/collectd/collection3/bin/.*\.cgi	--	gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
> diff --git a/collectd.te b/collectd.te
> index 0dfb1c5..245ccb8 100644
> --- a/collectd.te
> +++ b/collectd.te
> @@ -33,10 +33,11 @@ apache_content_template(collectd)
>  # Local policy
>  #
>  
> -allow collectd_t self:capability { ipc_lock sys_nice };
> +allow collectd_t self:capability { ipc_lock net_raw sys_nice };
>  allow collectd_t self:process { getsched setsched signal };
>  allow collectd_t self:fifo_file rw_fifo_file_perms;
>  allow collectd_t self:packet_socket create_socket_perms;
> +allow collectd_t self:rawip_socket create_socket_perms;
>  allow collectd_t self:unix_stream_socket { accept listen };
>  
>  manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
> @@ -44,10 +45,12 @@ manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
>  files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
>  
>  manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
> -files_pid_filetrans(collectd_t, collectd_var_run_t, file)
> +manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
> +files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
>  
>  domain_use_interactive_fds(collectd_t)
>  
> +kernel_read_kernel_sysctls(collectd_t)
>  kernel_read_network_state(collectd_t)
>  kernel_read_net_sysctls(collectd_t)
>  kernel_read_system_state(collectd_t)
> @@ -62,6 +65,8 @@ files_read_usr_files(collectd_t)
>  
>  fs_getattr_all_fs(collectd_t)
>  
> +init_read_utmp(collectd_t)
> +
>  miscfiles_read_localization(collectd_t)
>  
>  logging_send_syslog_msg(collectd_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com