From: russell@coker.com.au (Russell Coker) Date: Sun, 31 Jul 2016 19:10:00 +1000 Subject: [refpolicy] [PATCH] policy for "mon" network monitoring Message-ID: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch adds policy support for "mon" AKA "trockimon". The domain mon_t is for the main daemon that controls everything and sends alerts. The domain mon_test_t is for running the tests, it needs a separate domain because it deals with data from untrusted sources (network tests). The mon_test_t domain needs lots of access to the system and network services. It also has sudo access for running status checks that require root access such as getting the status of ZFS and BTRFS arrays. We could consider setting up multiple domains for tests, for example one domain for talking to the Internet and another for local checks. But I think that the current policy is good enough to be included at the moment and we can discuss changes later. diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000 +++ ./policy/modules/contrib/mon.fc 2016-07-31 19:01:48.337528893 +1000 @@ -0,0 +1,9 @@ + +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0) +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0) + +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) + +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000 +++ ./policy/modules/contrib/mon.if 2016-07-31 19:01:48.337528893 +1000 @@ -0,0 +1 @@ +## mon network monitoring daemon. diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000 +++ ./policy/modules/contrib/mon.te 2016-07-31 19:01:48.337528893 +1000 @@ -0,0 +1,134 @@ +policy_module(mon, 1.12.0) + +######################################## +# +# Declarations +# + +type mon_t; +type mon_exec_t; +init_daemon_domain(mon_t, mon_exec_t) + +type mon_test_t; +type mon_test_exec_t; + +domain_type(mon_test_t) +domain_entry_file(mon_test_t, mon_test_exec_t) +role system_r types mon_test_t; +domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t) + +type mon_var_run_t; +files_pid_file(mon_var_run_t) + +type mon_var_lib_t; +files_type(mon_var_lib_t) + +type mon_var_log_t; +logging_log_file(mon_var_log_t) + +type mon_tmp_t; +files_tmp_file(mon_tmp_t) + +######################################## +# +# Local policy +# mon_t is for the main mon process and for sending alerts +# + +corenet_tcp_bind_mon_port(mon_t) +corenet_udp_bind_mon_port(mon_t) +corenet_tcp_bind_generic_node(mon_t) +corenet_udp_bind_generic_node(mon_t) +allow mon_t self:tcp_socket create_stream_socket_perms; + +corenet_tcp_connect_jabber_client_port(mon_t) + +allow mon_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t) +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir }) + +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) +files_pid_filetrans(mon_t, mon_var_run_t, file) + +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) + +kernel_read_kernel_sysctls(mon_t) +kernel_read_network_state(mon_t) +kernel_read_system_state(mon_t) + +domain_use_interactive_fds(mon_t) + +corecmd_exec_bin(mon_t) +dev_read_urand(mon_t) +logging_search_logs(mon_t) +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) + +files_read_etc_files(mon_t) +files_read_etc_runtime_files(mon_t) +files_read_usr_files(mon_t) + +fs_getattr_all_fs(mon_t) +fs_search_auto_mountpoints(mon_t) + +term_dontaudit_search_ptys(mon_t) + +application_signull(mon_t) + +init_read_utmp(mon_t) + +libs_exec_ld_so(mon_t) +libs_exec_lib_files(mon_t) + +logging_send_syslog_msg(mon_t) + +miscfiles_read_localization(mon_t) + +sysnet_dns_name_resolve(mon_t) + +userdom_dontaudit_use_unpriv_user_fds(mon_t) +userdom_dontaudit_search_user_home_dirs(mon_t) + +corecmd_exec_shell(mon_t) + +optional_policy(` + mta_send_mail(mon_t) +') + +######################################## +# +# Local policy +# mon_test_t is for actually running the tests +# + +can_exec(mon_test_t, mon_test_exec_t) +manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t) +allow mon_test_t self:fifo_file rw_file_perms; +corecmd_exec_bin(mon_test_t) +miscfiles_read_localization(mon_test_t) +files_read_usr_files(mon_test_t) +fs_getattr_xattr_fs(mon_test_t) +sysnet_read_config(mon_test_t) +auth_use_nsswitch(mon_test_t) +dev_read_urand(mon_test_t) +corenet_tcp_connect_all_ports(mon_test_t) +dev_dontaudit_getattr_all_chr_files(mon_test_t) +kernel_dontaudit_getattr_core_if(mon_test_t) +domain_read_all_domains_state(mon_test_t) +corecmd_exec_shell(mon_test_t) +kernel_getattr_proc(mon_test_t) +kernel_read_system_state(mon_test_t) +kernel_read_software_raid_state(mon_test_t) +netutils_domtrans_ping(mon_test_t) +fs_search_nfs(mon_test_t) +fs_getattr_nfs(mon_test_t) + + +optional_policy(` + bind_read_zone(mon_test_t) +') + +optional_policy(` + sudo_role_template(system, system_r, mon_test_t) +') diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2016-07-28 20:33:39.959961616 +1000 +++ ./policy/modules/kernel/corenetwork.te.in 2016-07-31 19:01:48.341529000 +1000 @@ -176,6 +176,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(milter) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mon, tcp,2583,s0, udp,2583,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)