fix(assets/selinux): allow D-Bus daemon IPC with unconfined services via FIFOs and UNIX sockets

markuslf · markuslf · commit 8ab732a4ee5f · 2025-07-08T14:49:46.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,12 +11,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 Assets:
 
-* deb-updates: apt-get returns with an error ([#904](https://github.com/Linuxfabrik/monitoring-plugins/issues/904))
+* Linuxfabrik Monitoring Plugins [SELinux Type Enforcement Policies](https://github.com/Linuxfabrik/monitoring-plugins/blob/main/assets/selinux/linuxfabrik-monitoring-plugins.te): allow D-Bus daemon IPC with unconfined services via FIFOs and UNIX sockets
+
 
 Monitoring Plugins:
 
-* fix(openstack-swift-stat): Problem with python-keystoneclient, optimize requirements* ([#900](https://github.com/Linuxfabrik/lib/issues/900))
-* fix(valkey-status|redis-status): improve `--ignore-thp` ([#898](https://github.com/Linuxfabrik/lib/issues/898))
+* deb-updates: apt-get returns with an error ([#904](https://github.com/Linuxfabrik/monitoring-plugins/issues/904))
+* openstack-swift-stat: Problem with python-keystoneclient, optimize requirements* ([#900](https://github.com/Linuxfabrik/lib/issues/900))
+* valkey-status|redis-status: improve `--ignore-thp` ([#898](https://github.com/Linuxfabrik/lib/issues/898))
 
 
 ### Changed ("refactor", "chore" etc.)
@@ -25,6 +27,7 @@ Assets:
 
 * To make it easier to integrate with other tools, all RST files have been converted to GitHub-flavoured Markdown.
 
+
 Monitoring Plugins:
 
 * rocketchat-stats: improve output and docs a little bit
@@ -118,6 +121,7 @@ Build, CI/CD:
 
 * Linux: To save disk space, we *no longer compile* to binaries. The .rpm and .deb packages now ship the source code and require Python 3.9 to be installed on the target host. Sorry for the trouble.
 
+
 Icinga Director:
 
 * all-the-rest.json: drop legacy commands
@@ -281,6 +285,7 @@ Build, CI/CD:
 
 * compile-one.sh: provide Nuitka's no-deployment-flag ([#864](https://github.com/Linuxfabrik/monitoring-plugins/issues/864))
 
+
 Monitoring Plugins:
 
 * by-ssh: fix traceback on "permission denied"
diff --git a/assets/selinux/linuxfabrik-monitoring-plugins.te b/assets/selinux/linuxfabrik-monitoring-plugins.te
@@ -6,5 +6,18 @@ require {
     class file { execute map };
 }
 
+
 #============= chronyc_t ==============
 allow chronyc_t nagios_unconfined_plugin_exec_t:file { execute map };
+
+
+# Errors:
+# * "Failed to start transient service unit: Connection reset by peer"
+# * "Failed to get properties: Transport endpoint is not connected"
+# Caused by (examples):
+# * `systemctl --machine myuser@.host --user ... my.service` (`--user` is important here)
+# Effects:
+# * Allow D-Bus daemon IPC with unconfined services via FIFOs and UNIX sockets.
+#============= system_dbusd_t ==============
+allow system_dbusd_t unconfined_service_t:fifo_file write;
+allow system_dbusd_t unconfined_service_t:unix_stream_socket { read write };
