From: cgzones@googlemail.com (cgzones)
Date: Sat, 31 Dec 2016 11:21:57 +0100
Subject: [refpolicy] policy for monit
In-Reply-To: <20161231100839.3etugdzpgh2acuns@athena.coker.com.au>
References: <20161231100839.3etugdzpgh2acuns@athena.coker.com.au>
Message-ID: <CAJ2a_DcQ_uY=ZqK0ufd2FazKO0YUpqujVqQc-pn9Ap_Za9Pzew@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,
please do not apply this patch.

This version is some years old.
I am currently using a newer version over here:
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0071-add-monit-module.patch
which I am planning to send upstream in the near future.

Kindly Regards,
     Christian G?ttsche

2016-12-31 11:08 GMT+01:00 Russell Coker via refpolicy
<refpolicy@oss.tresys.com>:
> The below policy was submitted by cgzones who has a good history of sending
> SE Linux patches for Debian.  I have not tested it but it looks good and works
> for them.
>
> Description: Policy for monit host monitoring daemon
> Bug-Debian: https://bugs.debian.org/691283
>
> Origin: cgzones <cgzones@googlemail.com>
> Reviewed-By: Russell Coker <russell@coker.com.au>
> Last-Update: 2016-12-27
>
> Index: refpolicy/policy/modules/contrib/monit.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.fc
> @@ -0,0 +1,7 @@
> +/etc/monit(/.*)?                gen_context(system_u:object_r:monit_etc_t,s0)
> +/usr/sbin/monit                 gen_context(system_u:object_r:monit_exec_t,s0)
> +/usr/bin/monit                  gen_context(system_u:object_r:monit_exec_t,s0)
> +
> +/var/lib/monit(/.*)?            gen_context(system_u:object_r:monit_lib_t,s0)
> +/var/log/monit(/.*)?            gen_context(system_u:object_r:monit_log_t,s0)
> +/var/log/monit.*          --    gen_context(system_u:object_r:monit_log_t,s0)
> Index: refpolicy/policy/modules/contrib/monit.if
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> Index: refpolicy/policy/modules/contrib/monit.te
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.te
> @@ -0,0 +1,74 @@
> +policy_module(monit,1.0.0)
> +
> +#### file/domain-types
> +type monit_t;
> +domain_type(monit_t)
> +
> +type monit_exec_t;
> +files_type(monit_exec_t)
> +
> +type monit_etc_t;
> +files_type(monit_etc_t)
> +
> +type monit_lib_t;
> +files_type(monit_lib_t)
> +
> +type monit_port_t;
> +corenet_port(monit_port_t)
> +
> +type monit_log_t;
> +logging_log_file(monit_log_t)
> +logging_log_filetrans(monit_t, monit_log_t, {file dir})
> +
> +type monit_run_t;
> +files_pid_file(monit_run_t)
> +files_pid_filetrans(monit_t, monit_run_t, {file dir})
> +
> +#### monit_t
> +init_daemon_domain(monit_t, monit_exec_t)
> +init_domtrans_script(monit_t)
> +
> +allow monit_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> +allow monit_t self:tcp_socket { write read connect shutdown getopt create bind setopt listen accept };
> +allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl getattr };
> +allow monit_t self:sem { read write unix_write };
> +allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override };
> +allow monit_t self:rawip_socket { write read create setopt shutdown };
> +allow monit_t self:process { signal getpgid };
> +allow monit_t self:fifo_file { ioctl getattr };
> +allow monit_t monit_etc_t:dir list_dir_perms;
> +allow monit_t monit_etc_t:file read_file_perms;
> +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
> +allow monit_t monit_lib_t:dir manage_dir_perms;
> +allow monit_t monit_lib_t:file manage_file_perms;
> +allow monit_t monit_log_t:file manage_file_perms;
> +allow monit_t monit_run_t:file manage_file_perms;
> +
> +allow monit_t monit_port_t:tcp_socket name_bind;
> +corenet_tcp_bind_generic_node(monit_t)
> +
> +corenet_tcp_connect_all_ports(monit_t)
> +
> +corecmd_exec_bin(monit_t)
> +corecmd_exec_shell(monit_t)
> +
> +miscfiles_read_localization(monit_t)
> +dev_read_urand(monit_t)
> +userdom_dontaudit_search_user_home_dirs(monit_t)
> +files_read_etc_files(monit_t)
> +files_read_all_pids(monit_t)
> +sysnet_read_config(monit_t)
> +files_search_var_lib(monit_t)
> +files_read_etc_runtime_files(monit_t)
> +
> +dev_list_sysfs(monit_t)
> +kernel_read_system_state(monit_t)
> +storage_getattr_fixed_disk_dev(monit_t)
> +fs_getattr_xattr_fs(monit_t)
> +
> +domain_read_all_domains_state(monit_t)
> +domain_getpgid_all_domains(monit_t)
> +
> +## running monit from root console
> +domain_use_interactive_fds(monit_t)
> +userdom_use_user_ptys(monit_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy