From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 2 Aug 2016 20:25:57 -0400 Subject: [refpolicy] [PATCH] policy for "mon" network monitoring In-Reply-To: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au> References: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au> Message-ID: <246b3e68-c54f-0454-97f1-8d8684f13d0c@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/31/16 05:10, Russell Coker wrote: > The following patch adds policy support for "mon" AKA "trockimon". > > The domain mon_t is for the main daemon that controls everything and sends > alerts. The domain mon_test_t is for running the tests, it needs a separate > domain because it deals with data from untrusted sources (network tests). > > The mon_test_t domain needs lots of access to the system and network services. > It also has sudo access for running status checks that require root access > such as getting the status of ZFS and BTRFS arrays. > > We could consider setting up multiple domains for tests, for example one > domain for talking to the Internet and another for local checks. But I That would be a good thing to move towards as the network access on top of sudo doesn't inspire me with much confidence. > think that the current policy is good enough to be included at the moment > and we can discuss changes later. The mon_test_t rules need some style cleanup, then I think we can look at merging it with its current domain set. > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000 > +++ ./policy/modules/contrib/mon.fc 2016-07-31 19:01:48.337528893 +1000 > @@ -0,0 +1,9 @@ > + > +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) > +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0) > +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0) > + > +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) > + > +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) > +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000 > +++ ./policy/modules/contrib/mon.if 2016-07-31 19:01:48.337528893 +1000 > @@ -0,0 +1 @@ > +## mon network monitoring daemon. > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000 > +++ ./policy/modules/contrib/mon.te 2016-07-31 19:01:48.337528893 +1000 > @@ -0,0 +1,134 @@ > +policy_module(mon, 1.12.0) > + > +######################################## > +# > +# Declarations > +# > + > +type mon_t; > +type mon_exec_t; > +init_daemon_domain(mon_t, mon_exec_t) > + > +type mon_test_t; > +type mon_test_exec_t; > + > +domain_type(mon_test_t) > +domain_entry_file(mon_test_t, mon_test_exec_t) > +role system_r types mon_test_t; > +domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t) > + > +type mon_var_run_t; > +files_pid_file(mon_var_run_t) > + > +type mon_var_lib_t; > +files_type(mon_var_lib_t) > + > +type mon_var_log_t; > +logging_log_file(mon_var_log_t) > + > +type mon_tmp_t; > +files_tmp_file(mon_tmp_t) > + > +######################################## > +# > +# Local policy > +# mon_t is for the main mon process and for sending alerts > +# > + > +corenet_tcp_bind_mon_port(mon_t) > +corenet_udp_bind_mon_port(mon_t) > +corenet_tcp_bind_generic_node(mon_t) > +corenet_udp_bind_generic_node(mon_t) > +allow mon_t self:tcp_socket create_stream_socket_perms; > + > +corenet_tcp_connect_jabber_client_port(mon_t) > + > +allow mon_t self:fifo_file rw_fifo_file_perms; > + > +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) > +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t) > +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir }) > + > +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) > +files_pid_filetrans(mon_t, mon_var_run_t, file) > + > +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) > + > +kernel_read_kernel_sysctls(mon_t) > +kernel_read_network_state(mon_t) > +kernel_read_system_state(mon_t) > + > +domain_use_interactive_fds(mon_t) > + > +corecmd_exec_bin(mon_t) > +dev_read_urand(mon_t) > +logging_search_logs(mon_t) > +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) > + > +files_read_etc_files(mon_t) > +files_read_etc_runtime_files(mon_t) > +files_read_usr_files(mon_t) > + > +fs_getattr_all_fs(mon_t) > +fs_search_auto_mountpoints(mon_t) > + > +term_dontaudit_search_ptys(mon_t) > + > +application_signull(mon_t) > + > +init_read_utmp(mon_t) > + > +libs_exec_ld_so(mon_t) > +libs_exec_lib_files(mon_t) > + > +logging_send_syslog_msg(mon_t) > + > +miscfiles_read_localization(mon_t) > + > +sysnet_dns_name_resolve(mon_t) > + > +userdom_dontaudit_use_unpriv_user_fds(mon_t) > +userdom_dontaudit_search_user_home_dirs(mon_t) > + > +corecmd_exec_shell(mon_t) > + > +optional_policy(` > + mta_send_mail(mon_t) > +') > + > +######################################## > +# > +# Local policy > +# mon_test_t is for actually running the tests > +# > + > +can_exec(mon_test_t, mon_test_exec_t) > +manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t) > +allow mon_test_t self:fifo_file rw_file_perms; > +corecmd_exec_bin(mon_test_t) > +miscfiles_read_localization(mon_test_t) > +files_read_usr_files(mon_test_t) > +fs_getattr_xattr_fs(mon_test_t) > +sysnet_read_config(mon_test_t) > +auth_use_nsswitch(mon_test_t) > +dev_read_urand(mon_test_t) > +corenet_tcp_connect_all_ports(mon_test_t) > +dev_dontaudit_getattr_all_chr_files(mon_test_t) > +kernel_dontaudit_getattr_core_if(mon_test_t) > +domain_read_all_domains_state(mon_test_t) > +corecmd_exec_shell(mon_test_t) > +kernel_getattr_proc(mon_test_t) > +kernel_read_system_state(mon_test_t) > +kernel_read_software_raid_state(mon_test_t) > +netutils_domtrans_ping(mon_test_t) > +fs_search_nfs(mon_test_t) > +fs_getattr_nfs(mon_test_t) > + > + > +optional_policy(` > + bind_read_zone(mon_test_t) > +') > + > +optional_policy(` > + sudo_role_template(system, system_r, mon_test_t) > +') > diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in > --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2016-07-28 20:33:39.959961616 +1000 > +++ ./policy/modules/kernel/corenetwork.te.in 2016-07-31 19:01:48.341529000 +1000 > @@ -176,6 +176,7 @@ > network_port(memcache, tcp,11211,s0, udp,11211,s0) > network_port(milter) # no defined portcon > network_port(mmcc, tcp,5050,s0, udp,5050,s0) > +network_port(mon, tcp,2583,s0, udp,2583,s0) > network_port(monopd, tcp,1234,s0) > network_port(mountd, tcp,20048,s0, udp,20048,s0) > network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito