2016-07-31 09:10:00

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring

The following patch adds policy support for "mon" AKA "trockimon".

The domain mon_t is for the main daemon that controls everything and sends
alerts. The domain mon_test_t is for running the tests, it needs a separate
domain because it deals with data from untrusted sources (network tests).

The mon_test_t domain needs lots of access to the system and network services.
It also has sudo access for running status checks that require root access
such as getting the status of ZFS and BTRFS arrays.

We could consider setting up multiple domains for tests, for example one
domain for talking to the Internet and another for local checks. But I
think that the current policy is good enough to be included at the moment
and we can discuss changes later.

diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.fc 2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1,9 @@
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.if 2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.te 2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1,134 @@
+policy_module(mon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_test_t;
+type mon_test_exec_t;
+
+domain_type(mon_test_t)
+domain_entry_file(mon_test_t, mon_test_exec_t)
+role system_r types mon_test_t;
+domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t)
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+corecmd_exec_bin(mon_t)
+dev_read_urand(mon_t)
+logging_search_logs(mon_t)
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+libs_exec_ld_so(mon_t)
+libs_exec_lib_files(mon_t)
+
+logging_send_syslog_msg(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+corecmd_exec_shell(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_test_t is for actually running the tests
+#
+
+can_exec(mon_test_t, mon_test_exec_t)
+manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t)
+allow mon_test_t self:fifo_file rw_file_perms;
+corecmd_exec_bin(mon_test_t)
+miscfiles_read_localization(mon_test_t)
+files_read_usr_files(mon_test_t)
+fs_getattr_xattr_fs(mon_test_t)
+sysnet_read_config(mon_test_t)
+auth_use_nsswitch(mon_test_t)
+dev_read_urand(mon_test_t)
+corenet_tcp_connect_all_ports(mon_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_test_t)
+kernel_dontaudit_getattr_core_if(mon_test_t)
+domain_read_all_domains_state(mon_test_t)
+corecmd_exec_shell(mon_test_t)
+kernel_getattr_proc(mon_test_t)
+kernel_read_system_state(mon_test_t)
+kernel_read_software_raid_state(mon_test_t)
+netutils_domtrans_ping(mon_test_t)
+fs_search_nfs(mon_test_t)
+fs_getattr_nfs(mon_test_t)
+
+
+optional_policy(`
+ bind_read_zone(mon_test_t)
+')
+
+optional_policy(`
+ sudo_role_template(system, system_r, mon_test_t)
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
--- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2016-07-28 20:33:39.959961616 +1000
+++ ./policy/modules/kernel/corenetwork.te.in 2016-07-31 19:01:48.341529000 +1000
@@ -176,6 +176,7 @@
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(milter) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)


2016-08-03 00:25:57

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring

On 07/31/16 05:10, Russell Coker wrote:
> The following patch adds policy support for "mon" AKA "trockimon".
>
> The domain mon_t is for the main daemon that controls everything and sends
> alerts. The domain mon_test_t is for running the tests, it needs a separate
> domain because it deals with data from untrusted sources (network tests).
>
> The mon_test_t domain needs lots of access to the system and network services.
> It also has sudo access for running status checks that require root access
> such as getting the status of ZFS and BTRFS arrays.
>
> We could consider setting up multiple domains for tests, for example one
> domain for talking to the Internet and another for local checks. But I

That would be a good thing to move towards as the network access on top
of sudo doesn't inspire me with much confidence.

> think that the current policy is good enough to be included at the moment
> and we can discuss changes later.

The mon_test_t rules need some style cleanup, then I think we can look
at merging it with its current domain set.


> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.fc 2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,9 @@
> +
> +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
> +
> +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.if 2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.te 2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,134 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_test_t;
> +type mon_test_exec_t;
> +
> +domain_type(mon_test_t)
> +domain_entry_file(mon_test_t, mon_test_exec_t)
> +role system_r types mon_test_t;
> +domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> + mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_test_t is for actually running the tests
> +#
> +
> +can_exec(mon_test_t, mon_test_exec_t)
> +manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t)
> +allow mon_test_t self:fifo_file rw_file_perms;
> +corecmd_exec_bin(mon_test_t)
> +miscfiles_read_localization(mon_test_t)
> +files_read_usr_files(mon_test_t)
> +fs_getattr_xattr_fs(mon_test_t)
> +sysnet_read_config(mon_test_t)
> +auth_use_nsswitch(mon_test_t)
> +dev_read_urand(mon_test_t)
> +corenet_tcp_connect_all_ports(mon_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_test_t)
> +kernel_dontaudit_getattr_core_if(mon_test_t)
> +domain_read_all_domains_state(mon_test_t)
> +corecmd_exec_shell(mon_test_t)
> +kernel_getattr_proc(mon_test_t)
> +kernel_read_system_state(mon_test_t)
> +kernel_read_software_raid_state(mon_test_t)
> +netutils_domtrans_ping(mon_test_t)
> +fs_search_nfs(mon_test_t)
> +fs_getattr_nfs(mon_test_t)
> +
> +
> +optional_policy(`
> + bind_read_zone(mon_test_t)
> +')
> +
> +optional_policy(`
> + sudo_role_template(system, system_r, mon_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2016-07-28 20:33:39.959961616 +1000
> +++ ./policy/modules/kernel/corenetwork.te.in 2016-07-31 19:01:48.341529000 +1000
> @@ -176,6 +176,7 @@
> network_port(memcache, tcp,11211,s0, udp,11211,s0)
> network_port(milter) # no defined portcon
> network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
> network_port(monopd, tcp,1234,s0)
> network_port(mountd, tcp,20048,s0, udp,20048,s0)
> network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito

2016-08-03 02:31:26

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring

On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
> > We could consider setting up multiple domains for tests, for example one
> > domain for talking to the Internet and another for local checks. But I
>
> That would be a good thing to move towards as the network access on top
> of sudo doesn't inspire me with much confidence.

Well it's not nearly as bad as the daemons that have net access and
capabilities like setuid.

> > think that the current policy is good enough to be included at the moment
> > and we can discuss changes later.
>
> The mon_test_t rules need some style cleanup, then I think we can look
> at merging it with its current domain set.

What type of style issues?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2016-08-03 02:44:44

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring

On Wed, Aug 03, 2016 at 12:31:26PM +1000, Russell Coker wrote:
> On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
> > > We could consider setting up multiple domains for tests, for example one
> > > domain for talking to the Internet and another for local checks. But I
> >
> > That would be a good thing to move towards as the network access on top
> > of sudo doesn't inspire me with much confidence.

Not really useful right now, but ZFS has merged in the "zfs allow" stuff
so hopefully in the near future root will not be required for doing some
ZFS operations.
>
> Well it's not nearly as bad as the daemons that have net access and
> capabilities like setuid.
>
> > > think that the current policy is good enough to be included at the moment
> > > and we can discuss changes later.
> >
> > The mon_test_t rules need some style cleanup, then I think we can look
> > at merging it with its current domain set.
>
> What type of style issues?

SwifT actually has a script to spit out some issues:
https://github.com/sjvermeu/small.coding/blob/master/se_scripts/severifystyle
It's pretty good at finding the less obvious things. Is this something
we should perhaps get pushed up into refpol/support/?

Also, if there are things that the script reports incorrectly, I'd like
to know so it can be fixed.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2016-08-06 19:54:50

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring

On 08/02/16 22:31, Russell Coker wrote:
> On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
>>> We could consider setting up multiple domains for tests, for example one
>>> domain for talking to the Internet and another for local checks. But I
>>
>> That would be a good thing to move towards as the network access on top
>> of sudo doesn't inspire me with much confidence.
>
> Well it's not nearly as bad as the daemons that have net access and
> capabilities like setuid.
>
>>> think that the current policy is good enough to be included at the moment
>>> and we can discuss changes later.
>>
>> The mon_test_t rules need some style cleanup, then I think we can look
>> at merging it with its current domain set.
>
> What type of style issues?

Minor. Primarily the mon_test_t rules are one big block that needs to
be broken up, grouped, and sorted in a similar way to the mon_t ones.

--
Chris PeBenito