.\" Man page generated from reStructuredText. . .TH MUNIN_SELINUX 8 "2014-11-11" "" "SELinux" .SH NAME munin_selinux \- SELinux policy module for Munin . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH DESCRIPTION .sp The \fImunin\fP SELinux module supports the Munin networked resource management tool. .SH DOMAINS .sp The following is a list of munin related domains. .INDENT 0.0 .TP .B munin_t is the main domain for the munin daemon .TP .B \(aq*\(aq_munin_plugin_t is a set of domains related to the munin plugins .UNINDENT .SH LOCATIONS .sp The following list of locations identify file resources that are used by the munin domains. They are by default allocated towards the default locations for munin, so if you use a different location, you will need to properly address this. You can do so through \fBsemanage\fP, like so: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C semanage fcontext \-a \-t system_cron_spool_t "/usr/local/share/munin/plugins(/.*)?" .ft P .fi .UNINDENT .UNINDENT .sp The above example marks the \fI/usr/local/share/munin/plugins\fP location as the location where munin plugin executables are stored. .SS FUNCTIONAL .INDENT 0.0 .TP .B munin_etc_t is used for the munin configuration files .UNINDENT .SS EXECUTABLES .INDENT 0.0 .TP .B munin_exec_t is used for the munin binaries .TP .B munin_initrc_exec_t is used for the munin init script .TP .B \(aq*\(aq_munin_plugin_exec_t is used for the munin plugin executables .UNINDENT .SS DAEMON FILES .INDENT 0.0 .TP .B munin_log_t is used for the munin logs .TP .B munin_plugin_state_t is used for the munin plugin state information .TP .B munin_var_lib_t is used for the variable information used by munin .TP .B munin_var_run_t is used for the variable runtime state information of munin .UNINDENT .SH POLICY .sp The following interfaces can be used to enhance the default policy with munin\-related provileges. More details on these interfaces can be found in the interface HTML documentation, we will not list all available interfaces here. .SS Plugin template .sp With the \fBmunin_plugin_template\fP interface, additional munin plugin domains can be created. The interface takes a single prefix (like "disk") and will create the proper types and privileges, including (using "disk" as the example): .INDENT 0.0 .IP \(bu 2 \fIdisk_munin_plugin_t\fP as plugin domain .IP \(bu 2 \fIdisk_munin_plugin_exec_t\fP as plugin executable type .IP \(bu 2 \fIdisk_munin_plugin_tmp_t\fP as plugin temporary file type .UNINDENT .sp To enable it: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C munin_plugin_template(disk) .ft P .fi .UNINDENT .UNINDENT .SS Administrative role .sp The \fBmunin_admin\fP interface grants a user role and type administrative access to the munin types: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C munin_admin(myuser_t, myuser_r) .ft P .fi .UNINDENT .UNINDENT .SH BUGS .SS Munin .sp The \fBnet\-analyzer/munin\fP package deploys the munin cronjobs as end user cronjobs inside \fB/var/spool/cron/crontabs\fP\&. The munin cronjobs are meant to be executed as the munin Linux account, but the jobs themselves are best seen as system cronjobs (as they are not related to a true interactive end user). .sp The default deployed files might not get the \fIsystem_u\fP SELinux ownership assigned. To fix this, execute the following command: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C ~# chcon \-u system_u /var/spool/cron/crontabs/munin .ft P .fi .UNINDENT .UNINDENT .sp For more information, see bug #526532. .SH SEE ALSO .INDENT 0.0 .IP \(bu 2 Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP .IP \(bu 2 Gentoo Hardened SELinux Project at \fI\%https://wiki.gentoo.org/wiki/Project:Hardened\fP .UNINDENT .SH AUTHOR Sven Vermeulen .\" Generated by docutils manpage writer. .