From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 31 Dec 2017 06:53:58 -0500
Subject: [refpolicy] [PATCH] monit: update
In-Reply-To: <20171229202006.4118-1-cgzones@googlemail.com>
References: <20171229202006.4118-1-cgzones@googlemail.com>
Message-ID: <907d47f8-75d3-b6cc-54e6-72273ab74ffc@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/29/2017 03:20 PM, Christian G?ttsche via refpolicy wrote:
> - usage of socket interface (/run/monit.socket as monit_runtime_t)
> - allow simple checks (entropy, systemctl is-system-running, getenforce)
> ---
>   monit.fc |  3 ++-
>   monit.if |  4 ++--
>   monit.te | 40 ++++++++++++++++++++++++++++------------
>   3 files changed, 32 insertions(+), 15 deletions(-)
> 
> diff --git a/monit.fc b/monit.fc
> index 273aad3e..1cd0238e 100644
> --- a/monit.fc
> +++ b/monit.fc
> @@ -2,7 +2,8 @@
>   
>   /etc/monit(/.*)?			gen_context(system_u:object_r:monit_conf_t,s0)
>   
> -/run/monit\.pid			--	gen_context(system_u:object_r:monit_pid_t,s0)
> +/run/monit\.pid			--	gen_context(system_u:object_r:monit_runtime_t,s0)
> +/run/monit\.socket		-s	gen_context(system_u:object_r:monit_runtime_t,s0)
>   
>   /usr/bin/monit			--	gen_context(system_u:object_r:monit_exec_t,s0)
>   
> diff --git a/monit.if b/monit.if
> index d249dfbd..832cdca8 100644
> --- a/monit.if
> +++ b/monit.if
> @@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
>   interface(`monit_admin',`
>   	gen_require(`
>   		type monit_t, monit_conf_t, monit_initrc_exec_t;
> -		type monit_log_t, monit_pid_t;
> +		type monit_log_t, monit_runtime_t;
>   		type monit_unit_t, monit_var_lib_t;
>   	')
>   
> @@ -117,7 +117,7 @@ interface(`monit_admin',`
>   	admin_pattern($1, monit_log_t)
>   
>   	files_search_pids($1)
> -	admin_pattern($1, monit_pid_t)
> +	admin_pattern($1, monit_runtime_t)
>   
>   	files_search_var_lib($1)
>   	admin_pattern($1, monit_var_lib_t)
> diff --git a/monit.te b/monit.te
> index 9b7a605b..e9c940a1 100644
> --- a/monit.te
> +++ b/monit.te
> @@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
>   type monit_log_t;
>   logging_log_file(monit_log_t)
>   
> -type monit_pid_t alias monit_run_t;
> -files_pid_file(monit_pid_t)
> +type monit_runtime_t alias monit_pid_t;
> +files_pid_file(monit_runtime_t)
>   
>   type monit_unit_t;
>   init_unit_file(monit_unit_t)
> @@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
>   dev_read_sysfs(monit_domain)
>   dev_read_urand(monit_domain)
>   
> +files_getattr_all_mountpoints(monit_domain)
> +
>   fs_getattr_dos_fs(monit_domain)
>   fs_getattr_dos_dirs(monit_domain)
>   fs_getattr_tmpfs(monit_domain)
>   fs_getattr_xattr_fs(monit_domain)
>   
> +miscfiles_read_generic_certs(monit_domain)
>   miscfiles_read_localization(monit_domain)
>   
> +logging_send_syslog_msg(monit_domain)
> +
>   # disk usage of sd card
>   storage_getattr_removable_dev(monit_domain)
> +storage_getattr_fixed_disk_dev(monit_domain)
>   
>   ########################################
>   #
> @@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
>   allow monit_t self:fifo_file rw_fifo_file_perms;
>   allow monit_t self:rawip_socket connected_socket_perms;
>   allow monit_t self:tcp_socket server_stream_socket_perms;
> -allow monit_t self:unix_dgram_socket { connect create };
>   
>   allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
>   logging_log_filetrans(monit_t, monit_log_t, file)
>   
> -allow monit_t monit_pid_t:file manage_file_perms;
> -files_pid_filetrans(monit_t, monit_pid_t, file)
> +allow monit_t monit_runtime_t:file manage_file_perms;
> +allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
> +files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
>   
>   allow monit_t monit_var_lib_t:dir manage_dir_perms;
>   allow monit_t monit_var_lib_t:file manage_file_perms;
>   
> +# entropy
> +kernel_read_kernel_sysctls(monit_t)
> +kernel_read_vm_overcommit_sysctl(monit_t)
> +
>   auth_use_nsswitch(monit_t)
>   
>   corecmd_exec_bin(monit_t)
> +corecmd_exec_shell(monit_t)
>   
>   corenet_tcp_bind_generic_node(monit_t)
>   corenet_tcp_bind_monit_port(monit_t)
>   corenet_tcp_connect_all_ports(monit_t)
>   
> +domain_getattr_all_domains(monit_t)
>   domain_getpgid_all_domains(monit_t)
>   domain_read_all_domains_state(monit_t)
>   
>   files_read_all_pids(monit_t)
>   
> -logging_send_syslog_msg(monit_t)
> +selinux_get_enforce_mode(monit_t)
>   
> -ifdef(`hide_broken_symptoms',`
> -	# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
> -	dontaudit monit_t self:capability dac_override;
> +userdom_dontaudit_search_user_home_dirs(monit_t)
> +
> +ifdef(`init_systemd',`
> +	# systemctl is-system-running
> +	init_stream_connect(monit_t)
> +	init_get_system_status(monit_t)
>   ')
>   
>   tunable_policy(`monit_startstop_services',`
>   	init_get_all_units_status(monit_t)
> -	init_get_system_status(monit_t)
>   	init_start_all_units(monit_t)
>   	init_stop_all_units(monit_t)
> -	init_stream_connect(monit_t)
>   ')
>   
>   optional_policy(`
> @@ -136,9 +149,12 @@ optional_policy(`
>   # Client policy
>   #
>   
> +allow monit_cli_t monit_t:unix_stream_socket connectto;
> +
>   allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
>   
> -allow monit_cli_t monit_pid_t:file rw_file_perms;
> +allow monit_cli_t monit_runtime_t:file rw_file_perms;
> +allow monit_cli_t monit_runtime_t:sock_file write;
>   
>   allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
>   allow monit_cli_t monit_var_lib_t:file rw_file_perms;

Merged.

-- 
Chris PeBenito