aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2014-11-11 14:20:23 +0100
committerSven Vermeulen <sven.vermeulen@siphos.be>2014-11-11 14:20:23 +0100
commit895d9f5db7c868d47665873f5ac4081fce64c906 (patch)
treeb5eb911becf5d4481a230e21245ca1d4b16147e6
parentFix typo in cron manual page (diff)
downloadhardened-refpolicy-895d9f5db7c868d47665873f5ac4081fce64c906.tar.gz
hardened-refpolicy-895d9f5db7c868d47665873f5ac4081fce64c906.tar.bz2
hardened-refpolicy-895d9f5db7c868d47665873f5ac4081fce64c906.zip
Add manual pages for munin SELinux policy, supports bug #526532
-rw-r--r--man/man8/munin_selinux.8177
-rw-r--r--policy/modules/contrib/munin.rst130
2 files changed, 307 insertions, 0 deletions
diff --git a/man/man8/munin_selinux.8 b/man/man8/munin_selinux.8
new file mode 100644
index 00000000..99507b65
--- /dev/null
+++ b/man/man8/munin_selinux.8
@@ -0,0 +1,177 @@
+.\" Man page generated from reStructuredText.
+.
+.TH MUNIN_SELINUX 8 "2014-11-11" "" "SELinux"
+.SH NAME
+munin_selinux \- SELinux policy module for Munin
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fImunin\fP SELinux module supports the Munin networked resource management
+tool.
+.SH DOMAINS
+.sp
+The following is a list of munin related domains.
+.INDENT 0.0
+.TP
+.B munin_t
+is the main domain for the munin daemon
+.TP
+.B \(aq*\(aq_munin_plugin_t
+is a set of domains related to the munin plugins
+.UNINDENT
+.SH LOCATIONS
+.sp
+The following list of locations identify file resources that are used by the
+munin domains. They are by default allocated towards the default locations for
+munin, so if you use a different location, you will need to properly address
+this. You can do so through \fBsemanage\fP, like so:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+semanage fcontext \-a \-t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The above example marks the \fI/usr/local/share/munin/plugins\fP location as the location where
+munin plugin executables are stored.
+.SS FUNCTIONAL
+.INDENT 0.0
+.TP
+.B munin_etc_t
+is used for the munin configuration files
+.UNINDENT
+.SS EXECUTABLES
+.INDENT 0.0
+.TP
+.B munin_exec_t
+is used for the munin binaries
+.TP
+.B munin_initrc_exec_t
+is used for the munin init script
+.TP
+.B \(aq*\(aq_munin_plugin_exec_t
+is used for the munin plugin executables
+.UNINDENT
+.SS DAEMON FILES
+.INDENT 0.0
+.TP
+.B munin_log_t
+is used for the munin logs
+.TP
+.B munin_plugin_state_t
+is used for the munin plugin state information
+.TP
+.B munin_var_lib_t
+is used for the variable information used by munin
+.TP
+.B munin_var_run_t
+is used for the variable runtime state information of munin
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+munin\-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Plugin template
+.sp
+With the \fBmunin_plugin_template\fP interface, additional munin plugin domains
+can be created. The interface takes a single prefix (like "disk") and will create
+the proper types and privileges, including (using "disk" as the example):
+.INDENT 0.0
+.IP \(bu 2
+\fIdisk_munin_plugin_t\fP as plugin domain
+.IP \(bu 2
+\fIdisk_munin_plugin_exec_t\fP as plugin executable type
+.IP \(bu 2
+\fIdisk_munin_plugin_tmp_t\fP as plugin temporary file type
+.UNINDENT
+.sp
+To enable it:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_plugin_template(disk)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Administrative role
+.sp
+The \fBmunin_admin\fP interface grants a user role and type administrative access
+to the munin types:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+munin_admin(myuser_t, myuser_r)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SH BUGS
+.SS Munin
+.sp
+The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user
+cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+.sp
+The default deployed files do not get the \fIsystem_u\fP SELinux ownership
+assigned. To fix this, execute the following command:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+~# chcon \-u system_u /var/spool/cron/crontabs/munin
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information, see bug #526532.
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux Project at
+\fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP
+.UNINDENT
+.SH AUTHOR
+Sven Vermeulen <swift@gentoo.org>
+.\" Generated by docutils manpage writer.
+.
diff --git a/policy/modules/contrib/munin.rst b/policy/modules/contrib/munin.rst
new file mode 100644
index 00000000..3819024c
--- /dev/null
+++ b/policy/modules/contrib/munin.rst
@@ -0,0 +1,130 @@
+=============
+munin_selinux
+=============
+
+-------------------------------
+SELinux policy module for Munin
+-------------------------------
+
+:Author: Sven Vermeulen <swift@gentoo.org>
+:Date: 2014-11-11
+:Manual section: 8
+:Manual group: SELinux
+
+DESCRIPTION
+===========
+
+The *munin* SELinux module supports the Munin networked resource management
+tool.
+
+DOMAINS
+=======
+
+The following is a list of munin related domains.
+
+munin_t
+ is the main domain for the munin daemon
+
+'*'_munin_plugin_t
+ is a set of domains related to the munin plugins
+
+LOCATIONS
+=========
+
+The following list of locations identify file resources that are used by the
+munin domains. They are by default allocated towards the default locations for
+munin, so if you use a different location, you will need to properly address
+this. You can do so through ``semanage``, like so::
+
+ semanage fcontext -a -t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?"
+
+The above example marks the */usr/local/share/munin/plugins* location as the location where
+munin plugin executables are stored.
+
+FUNCTIONAL
+----------
+
+munin_etc_t
+ is used for the munin configuration files
+
+EXECUTABLES
+-----------
+
+munin_exec_t
+ is used for the munin binaries
+
+munin_initrc_exec_t
+ is used for the munin init script
+
+'*'_munin_plugin_exec_t
+ is used for the munin plugin executables
+
+DAEMON FILES
+------------
+
+munin_log_t
+ is used for the munin logs
+
+munin_plugin_state_t
+ is used for the munin plugin state information
+
+munin_var_lib_t
+ is used for the variable information used by munin
+
+munin_var_run_t
+ is used for the variable runtime state information of munin
+
+POLICY
+======
+
+The following interfaces can be used to enhance the default policy with
+munin-related provileges. More details on these interfaces can be found in the
+interface HTML documentation, we will not list all available interfaces here.
+
+Plugin template
+---------------
+
+With the ``munin_plugin_template`` interface, additional munin plugin domains
+can be created. The interface takes a single prefix (like "disk") and will create
+the proper types and privileges, including (using "disk" as the example):
+
+* *disk_munin_plugin_t* as plugin domain
+* *disk_munin_plugin_exec_t* as plugin executable type
+* *disk_munin_plugin_tmp_t* as plugin temporary file type
+
+To enable it::
+
+ munin_plugin_template(disk)
+
+Administrative role
+-------------------
+
+The ``munin_admin`` interface grants a user role and type administrative access
+to the munin types::
+
+ munin_admin(myuser_t, myuser_r)
+
+BUGS
+====
+
+Munin
+-----
+
+The ``net-analyzer/munin`` package deploys the munin cronjobs as end user
+cronjobs inside ``/var/spool/cron/crontabs``. The munin cronjobs are meant to
+be executed as the munin Linux account, but the jobs themselves are best seen
+as system cronjobs (as they are not related to a true interactive end user).
+
+The default deployed files do not get the *system_u* SELinux ownership
+assigned. To fix this, execute the following command::
+
+ ~# chcon -u system_u /var/spool/cron/crontabs/munin
+
+For more information, see bug #526532.
+
+SEE ALSO
+========
+
+* Gentoo and SELinux at https://wiki.gentoo.org/wiki/SELinux
+* Gentoo Hardened SELinux Project at
+ https://wiki.gentoo.org/wiki/Project:Hardened