From: cgzones@googlemail.com (cgzones) Date: Sat, 31 Dec 2016 11:21:57 +0100 Subject: [refpolicy] policy for monit In-Reply-To: <20161231100839.3etugdzpgh2acuns@athena.coker.com.au> References: <20161231100839.3etugdzpgh2acuns@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, please do not apply this patch. This version is some years old. I am currently using a newer version over here: https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0071-add-monit-module.patch which I am planning to send upstream in the near future. Kindly Regards, Christian G?ttsche 2016-12-31 11:08 GMT+01:00 Russell Coker via refpolicy : > The below policy was submitted by cgzones who has a good history of sending > SE Linux patches for Debian. I have not tested it but it looks good and works > for them. > > Description: Policy for monit host monitoring daemon > Bug-Debian: https://bugs.debian.org/691283 > > Origin: cgzones > Reviewed-By: Russell Coker > Last-Update: 2016-12-27 > > Index: refpolicy/policy/modules/contrib/monit.fc > =================================================================== > --- /dev/null > +++ refpolicy/policy/modules/contrib/monit.fc > @@ -0,0 +1,7 @@ > +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) > +/usr/sbin/monit gen_context(system_u:object_r:monit_exec_t,s0) > +/usr/bin/monit gen_context(system_u:object_r:monit_exec_t,s0) > + > +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_lib_t,s0) > +/var/log/monit(/.*)? gen_context(system_u:object_r:monit_log_t,s0) > +/var/log/monit.* -- gen_context(system_u:object_r:monit_log_t,s0) > Index: refpolicy/policy/modules/contrib/monit.if > =================================================================== > --- /dev/null > +++ refpolicy/policy/modules/contrib/monit.if > @@ -0,0 +1 @@ > +## > Index: refpolicy/policy/modules/contrib/monit.te > =================================================================== > --- /dev/null > +++ refpolicy/policy/modules/contrib/monit.te > @@ -0,0 +1,74 @@ > +policy_module(monit,1.0.0) > + > +#### file/domain-types > +type monit_t; > +domain_type(monit_t) > + > +type monit_exec_t; > +files_type(monit_exec_t) > + > +type monit_etc_t; > +files_type(monit_etc_t) > + > +type monit_lib_t; > +files_type(monit_lib_t) > + > +type monit_port_t; > +corenet_port(monit_port_t) > + > +type monit_log_t; > +logging_log_file(monit_log_t) > +logging_log_filetrans(monit_t, monit_log_t, {file dir}) > + > +type monit_run_t; > +files_pid_file(monit_run_t) > +files_pid_filetrans(monit_t, monit_run_t, {file dir}) > + > +#### monit_t > +init_daemon_domain(monit_t, monit_exec_t) > +init_domtrans_script(monit_t) > + > +allow monit_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; > +allow monit_t self:tcp_socket { write read connect shutdown getopt create bind setopt listen accept }; > +allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl getattr }; > +allow monit_t self:sem { read write unix_write }; > +allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override }; > +allow monit_t self:rawip_socket { write read create setopt shutdown }; > +allow monit_t self:process { signal getpgid }; > +allow monit_t self:fifo_file { ioctl getattr }; > +allow monit_t monit_etc_t:dir list_dir_perms; > +allow monit_t monit_etc_t:file read_file_perms; > +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; > +allow monit_t monit_lib_t:dir manage_dir_perms; > +allow monit_t monit_lib_t:file manage_file_perms; > +allow monit_t monit_log_t:file manage_file_perms; > +allow monit_t monit_run_t:file manage_file_perms; > + > +allow monit_t monit_port_t:tcp_socket name_bind; > +corenet_tcp_bind_generic_node(monit_t) > + > +corenet_tcp_connect_all_ports(monit_t) > + > +corecmd_exec_bin(monit_t) > +corecmd_exec_shell(monit_t) > + > +miscfiles_read_localization(monit_t) > +dev_read_urand(monit_t) > +userdom_dontaudit_search_user_home_dirs(monit_t) > +files_read_etc_files(monit_t) > +files_read_all_pids(monit_t) > +sysnet_read_config(monit_t) > +files_search_var_lib(monit_t) > +files_read_etc_runtime_files(monit_t) > + > +dev_list_sysfs(monit_t) > +kernel_read_system_state(monit_t) > +storage_getattr_fixed_disk_dev(monit_t) > +fs_getattr_xattr_fs(monit_t) > + > +domain_read_all_domains_state(monit_t) > +domain_getpgid_all_domains(monit_t) > + > +## running monit from root console > +domain_use_interactive_fds(monit_t) > +userdom_use_user_ptys(monit_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy