From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 18 Feb 2017 08:17:29 -0500 Subject: [refpolicy] [PATCH] base monit policy In-Reply-To: <20170216093250.4iedsx44safh2qxa@athena.coker.com.au> References: <20170216093250.4iedsx44safh2qxa@athena.coker.com.au> Message-ID: <19d23b60-f510-25a5-e80e-99a3c7517695@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/16/17 04:32, Russell Coker via refpolicy wrote: > Here is a patch for the monit policy without the monit_interactive_t domain. > This should be a minimally functional monit policy and we can then build on it > with the monit_interactive_t domain (or maybe a different way of achieving the > same goal). > > > From: cgzones > Date: Fri, 25 Nov 2016 22:53:35 +0100 > Subject: add monit module > > --- > > Index: refpolicy-2.20170216/policy/modules/contrib/monit.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20170216/policy/modules/contrib/monit.fc > @@ -0,0 +1,13 @@ > +/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) > +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) > + > +/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0) > + > +/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) > + > +/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0) > + > +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) > + > +/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) > + > Index: refpolicy-2.20170216/policy/modules/contrib/monit.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20170216/policy/modules/contrib/monit.te > @@ -0,0 +1,122 @@ > +policy_module(monit, 0.0.1) > + > +######################################## > +# > +# Declarations > +# > + > +## > +##

> +## Allow monit to start/stop services > +##

> +##
> +gen_tunable(monit_startstop_services, false) > + > +attribute_role monit_interactive_roles; > + > +type monit_t; > +type monit_exec_t; > +init_daemon_domain(monit_t, monit_exec_t) > + > +type monit_etc_t; > +files_config_file(monit_etc_t) > +files_security_file(monit_etc_t) # may contain password for monit webinterface > + > +type monit_initrc_exec_t; > +init_script_file(monit_initrc_exec_t) > + > +type monit_log_t; > +logging_log_file(monit_log_t) > + > +type monit_run_t; > +files_pid_file(monit_run_t) > + > +type monit_unit_t; > +init_unit_file(monit_unit_t) > + > +type monit_var_lib_t; > +files_type(monit_var_lib_t) > + > +######################################## > +# > +# Daemon policy > +# > + > +# dac_read_search : read /run/exim/* > +# net_raw : create raw sockets > +# sys_ptrace : trace processes > +allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; > +# kernel bug > +dontaudit monit_t self:capability dac_override; > +# setsockopt > +dontaudit monit_t self:capability net_admin; > + > +allow monit_t self:process { getpgid sigkill signal }; > +allow monit_t self:fifo_file rw_fifo_file_perms; > +allow monit_t self:netlink_route_socket r_netlink_socket_perms; > +allow monit_t self:rawip_socket connected_socket_perms; > +allow monit_t self:sem rw_sem_perms; > +allow monit_t self:tcp_socket create_stream_socket_perms; > +allow monit_t self:udp_socket create_socket_perms; > +allow monit_t self:unix_stream_socket create_stream_socket_perms; > + > +allow monit_t monit_etc_t:dir list_dir_perms; > +allow monit_t monit_etc_t:file read_file_perms; > +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; > + > +allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; > +logging_log_filetrans(monit_t, monit_log_t, file) > + > +allow monit_t monit_run_t:file manage_file_perms; > +files_pid_filetrans(monit_t, monit_run_t, file) > + > +allow monit_t monit_var_lib_t:dir manage_dir_perms; > +allow monit_t monit_var_lib_t:file manage_file_perms; > + > +kernel_read_system_state(monit_t) > + > +auth_use_nsswitch(monit_t) > +corecmd_exec_bin(monit_t) > +corenet_tcp_bind_generic_node(monit_t) > +corenet_tcp_bind_monit_port(monit_t) > +corenet_tcp_connect_all_ports(monit_t) > + > +dev_read_sysfs(monit_t) > +dev_read_urand(monit_t) > + > +domain_getpgid_all_domains(monit_t) > +domain_read_all_domains_state(monit_t) > + > +files_read_all_pids(monit_t) > + > +fs_getattr_dos_fs(monit_t) > +fs_getattr_tmpfs(monit_t) > +fs_getattr_xattr_fs(monit_t) > +fs_search_dos(monit_t) > + > +miscfiles_read_localization(monit_t) > + > +storage_getattr_fixed_disk_dev(monit_t) > + > +sysnet_read_config(monit_t) > + > +tunable_policy(`monit_startstop_services',` > + ifdef(`init_systemd',` > + gen_require(` > + attribute init_script_file_type; > + class service { start status stop }; > + ') > + allow monit_t init_script_file_type:service { start status stop }; > + > + init_get_all_units_status(monit_t) > + init_get_system_status(monit_t) > + init_start_all_units(monit_t) > + init_stop_all_units(monit_t) > + init_stream_connect(monit_t) > + ') > +') This patch looks ok, except for this part. Using the attribute like this isn't acceptable. Also, if systemd isn't enabled, this is an empty block, so the ifdef should be on the outside and tunable_policy nested inside. -- Chris PeBenito