From: russell@coker.com.au (Russell Coker) Date: Thu, 16 Feb 2017 20:32:50 +1100 Subject: [refpolicy] [PATCH] base monit policy Message-ID: <20170216093250.4iedsx44safh2qxa@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here is a patch for the monit policy without the monit_interactive_t domain. This should be a minimally functional monit policy and we can then build on it with the monit_interactive_t domain (or maybe a different way of achieving the same goal). From: cgzones Date: Fri, 25 Nov 2016 22:53:35 +0100 Subject: add monit module --- Index: refpolicy-2.20170216/policy/modules/contrib/monit.fc =================================================================== --- /dev/null +++ refpolicy-2.20170216/policy/modules/contrib/monit.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) + +/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0) + +/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) + +/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0) + +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) + +/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) + Index: refpolicy-2.20170216/policy/modules/contrib/monit.te =================================================================== --- /dev/null +++ refpolicy-2.20170216/policy/modules/contrib/monit.te @@ -0,0 +1,122 @@ +policy_module(monit, 0.0.1) + +######################################## +# +# Declarations +# + +## +##

+## Allow monit to start/stop services +##

+##
+gen_tunable(monit_startstop_services, false) + +attribute_role monit_interactive_roles; + +type monit_t; +type monit_exec_t; +init_daemon_domain(monit_t, monit_exec_t) + +type monit_etc_t; +files_config_file(monit_etc_t) +files_security_file(monit_etc_t) # may contain password for monit webinterface + +type monit_initrc_exec_t; +init_script_file(monit_initrc_exec_t) + +type monit_log_t; +logging_log_file(monit_log_t) + +type monit_run_t; +files_pid_file(monit_run_t) + +type monit_unit_t; +init_unit_file(monit_unit_t) + +type monit_var_lib_t; +files_type(monit_var_lib_t) + +######################################## +# +# Daemon policy +# + +# dac_read_search : read /run/exim/* +# net_raw : create raw sockets +# sys_ptrace : trace processes +allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; +# kernel bug +dontaudit monit_t self:capability dac_override; +# setsockopt +dontaudit monit_t self:capability net_admin; + +allow monit_t self:process { getpgid sigkill signal }; +allow monit_t self:fifo_file rw_fifo_file_perms; +allow monit_t self:netlink_route_socket r_netlink_socket_perms; +allow monit_t self:rawip_socket connected_socket_perms; +allow monit_t self:sem rw_sem_perms; +allow monit_t self:tcp_socket create_stream_socket_perms; +allow monit_t self:udp_socket create_socket_perms; +allow monit_t self:unix_stream_socket create_stream_socket_perms; + +allow monit_t monit_etc_t:dir list_dir_perms; +allow monit_t monit_etc_t:file read_file_perms; +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; + +allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; +logging_log_filetrans(monit_t, monit_log_t, file) + +allow monit_t monit_run_t:file manage_file_perms; +files_pid_filetrans(monit_t, monit_run_t, file) + +allow monit_t monit_var_lib_t:dir manage_dir_perms; +allow monit_t monit_var_lib_t:file manage_file_perms; + +kernel_read_system_state(monit_t) + +auth_use_nsswitch(monit_t) +corecmd_exec_bin(monit_t) +corenet_tcp_bind_generic_node(monit_t) +corenet_tcp_bind_monit_port(monit_t) +corenet_tcp_connect_all_ports(monit_t) + +dev_read_sysfs(monit_t) +dev_read_urand(monit_t) + +domain_getpgid_all_domains(monit_t) +domain_read_all_domains_state(monit_t) + +files_read_all_pids(monit_t) + +fs_getattr_dos_fs(monit_t) +fs_getattr_tmpfs(monit_t) +fs_getattr_xattr_fs(monit_t) +fs_search_dos(monit_t) + +miscfiles_read_localization(monit_t) + +storage_getattr_fixed_disk_dev(monit_t) + +sysnet_read_config(monit_t) + +tunable_policy(`monit_startstop_services',` + ifdef(`init_systemd',` + gen_require(` + attribute init_script_file_type; + class service { start status stop }; + ') + allow monit_t init_script_file_type:service { start status stop }; + + init_get_all_units_status(monit_t) + init_get_system_status(monit_t) + init_start_all_units(monit_t) + init_stop_all_units(monit_t) + init_stream_connect(monit_t) + ') +') + +optional_policy(` + dbus_system_bus_client(monit_t) +') + Index: refpolicy-2.20170216/policy/modules/contrib/monit.if =================================================================== --- /dev/null +++ refpolicy-2.20170216/policy/modules/contrib/monit.if @@ -0,0 +1 @@ +## Monit - utility for monitoring services on a Unix system.