Ver código fonte

atop: extend policy to also cover atopacct

Helmut Pozimski 7 anos atrás
pai
commit
ee1bc1d3bd
2 arquivos alterados com 47 adições e 3 exclusões
  1. 7 2
      policy/modules/atop.fc
  2. 40 1
      policy/modules/atop.te

+ 7 - 2
policy/modules/atop.fc

@@ -1,12 +1,17 @@
- /etc/rc\.d/init\.d/atop	--	gen_context(system_u:object_r:atop_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atop	--	gen_context(system_u:object_r:atop_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/atopacct	--	gen_context(system_u:object_r:atopacct_initrc_exec_t,s0)
 
 /usr/bin/atop			-- 	gen_context(system_u:object_r:atop_exec_t,s0)
 /usr/share/atop/atop.wrapper	--	gen_context(system_u:object_r:atop_exec_t,s0)
 /usr/share/atop/atop.daily	--	gen_context(system_u:object_r:atop_exec_t,s0)
-
+/usr/sbin/atopacctd	--	gen_context(system_u:object_r:atopacct_exec_t,s0)
 /var/log/atop(/.*)?			gen_context(system_u:object_r:atop_var_log_t,s0)
 
 /var/run/atop(/.*)?			gen_context(system_u:object_r:atop_var_run_t,s0)
 /var/run/atop\.pid		--	gen_context(system_u:object_r:atop_var_run_t,s0)
 
+/var/run/atopacctd\.pid		--	gen_context(system_u:object_r:atopacct_var_run_t,s0)
+/var/run/pacct_shadow.d(/.*)?		gen_context(system_u:object_r:atopacct_var_run_t,s0)
+/var/run/pacct_source	--	gen_context(system_u:object_r:atopacct_var_run_t,s0)
+
 /var/cache/atop.d(/.*)?			gen_context(system_u:object_r:atop_var_cache_t,s0)

+ 40 - 1
policy/modules/atop.te

@@ -1,4 +1,4 @@
-policy_module(atop, 0.1.13)
+policy_module(atop, 0.1.15)
 
 ########################################
 #
@@ -12,15 +12,25 @@ type atop_exec_t;
 init_daemon_domain(atop_t, atop_exec_t)
 role atop_roles types atop_t;
 
+type atopacct_t;
+type atopacct_exec_t;
+init_daemon_domain(atopacct_t, atopacct_exec_t)
+
 type atop_initrc_exec_t;
 init_script_file(atop_initrc_exec_t)
 
+type atopacct_initrc_exec_t;
+init_script_file(atopacct_initrc_exec_t)
+
 type atop_var_log_t;
 logging_log_file(atop_var_log_t)
 
 type atop_var_run_t;
 files_pid_file(atop_var_run_t)
 
+type atopacct_var_run_t;
+files_pid_file(atopacct_var_run_t)
+
 type atop_var_cache_t;
 files_type(atop_var_cache_t)
 
@@ -52,6 +62,8 @@ manage_dirs_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 files_pid_filetrans(atop_t, atop_var_run_t, { file dir })
 
+read_files_pattern(atop_t, atopacct_var_run_t, atopacct_var_run_t)
+
 corecmd_exec_bin(atop_t)
 
 optional_policy(`
@@ -85,3 +97,30 @@ dev_getattr_lvm_control(atop_t)
 cron_system_entry(atop_t, atop_exec_t)
 
 init_read_utmp(atop_t)
+
+### atopacct policy
+
+allow atopacct_t self:capability { net_admin sys_nice sys_pacct };
+allow atopacct_t self:netlink_generic_socket { bind create read setopt write };
+allow atopacct_t self:process { setsched signal };
+allow atopacct_t self:unix_dgram_socket { connect create write };
+
+manage_dirs_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
+manage_files_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
+files_pid_filetrans(atopacct_t, atopacct_var_run_t, { file dir })
+
+logging_send_syslog_msg(atopacct_t)
+
+miscfiles_read_localization(atopacct_t)
+
+kernel_read_system_state(atopacct_t)
+
+fs_getattr_tmpfs(atopacct_t)
+
+optional_policy(`
+	gen_require(`
+		type initrc_t;
+	')
+	allow atopacct_t initrc_t:sem { associate read unix_read unix_write write };
+')
+