The below policy was submitted by cgzones who has a good history of sending
SE Linux patches for Debian. I have not tested it but it looks good and works
for them.
Description: Policy for monit host monitoring daemon
Bug-Debian: https://bugs.debian.org/691283
Origin: cgzones <[email protected]>
Reviewed-By: Russell Coker <[email protected]>
Last-Update: 2016-12-27
Index: refpolicy/policy/modules/contrib/monit.fc
===================================================================
--- /dev/null
+++ refpolicy/policy/modules/contrib/monit.fc
@@ -0,0 +1,7 @@
+/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
+/usr/sbin/monit gen_context(system_u:object_r:monit_exec_t,s0)
+/usr/bin/monit gen_context(system_u:object_r:monit_exec_t,s0)
+
+/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_lib_t,s0)
+/var/log/monit(/.*)? gen_context(system_u:object_r:monit_log_t,s0)
+/var/log/monit.* -- gen_context(system_u:object_r:monit_log_t,s0)
Index: refpolicy/policy/modules/contrib/monit.if
===================================================================
--- /dev/null
+++ refpolicy/policy/modules/contrib/monit.if
@@ -0,0 +1 @@
+## <summary></summary>
Index: refpolicy/policy/modules/contrib/monit.te
===================================================================
--- /dev/null
+++ refpolicy/policy/modules/contrib/monit.te
@@ -0,0 +1,74 @@
+policy_module(monit,1.0.0)
+
+#### file/domain-types
+type monit_t;
+domain_type(monit_t)
+
+type monit_exec_t;
+files_type(monit_exec_t)
+
+type monit_etc_t;
+files_type(monit_etc_t)
+
+type monit_lib_t;
+files_type(monit_lib_t)
+
+type monit_port_t;
+corenet_port(monit_port_t)
+
+type monit_log_t;
+logging_log_file(monit_log_t)
+logging_log_filetrans(monit_t, monit_log_t, {file dir})
+
+type monit_run_t;
+files_pid_file(monit_run_t)
+files_pid_filetrans(monit_t, monit_run_t, {file dir})
+
+#### monit_t
+init_daemon_domain(monit_t, monit_exec_t)
+init_domtrans_script(monit_t)
+
+allow monit_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow monit_t self:tcp_socket { write read connect shutdown getopt create bind setopt listen accept };
+allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl getattr };
+allow monit_t self:sem { read write unix_write };
+allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override };
+allow monit_t self:rawip_socket { write read create setopt shutdown };
+allow monit_t self:process { signal getpgid };
+allow monit_t self:fifo_file { ioctl getattr };
+allow monit_t monit_etc_t:dir list_dir_perms;
+allow monit_t monit_etc_t:file read_file_perms;
+allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+allow monit_t monit_lib_t:dir manage_dir_perms;
+allow monit_t monit_lib_t:file manage_file_perms;
+allow monit_t monit_log_t:file manage_file_perms;
+allow monit_t monit_run_t:file manage_file_perms;
+
+allow monit_t monit_port_t:tcp_socket name_bind;
+corenet_tcp_bind_generic_node(monit_t)
+
+corenet_tcp_connect_all_ports(monit_t)
+
+corecmd_exec_bin(monit_t)
+corecmd_exec_shell(monit_t)
+
+miscfiles_read_localization(monit_t)
+dev_read_urand(monit_t)
+userdom_dontaudit_search_user_home_dirs(monit_t)
+files_read_etc_files(monit_t)
+files_read_all_pids(monit_t)
+sysnet_read_config(monit_t)
+files_search_var_lib(monit_t)
+files_read_etc_runtime_files(monit_t)
+
+dev_list_sysfs(monit_t)
+kernel_read_system_state(monit_t)
+storage_getattr_fixed_disk_dev(monit_t)
+fs_getattr_xattr_fs(monit_t)
+
+domain_read_all_domains_state(monit_t)
+domain_getpgid_all_domains(monit_t)
+
+## running monit from root console
+domain_use_interactive_fds(monit_t)
+userdom_use_user_ptys(monit_t)
Hi,
please do not apply this patch.
This version is some years old.
I am currently using a newer version over here:
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0071-add-monit-module.patch
which I am planning to send upstream in the near future.
Kindly Regards,
Christian G?ttsche
2016-12-31 11:08 GMT+01:00 Russell Coker via refpolicy
<[email protected]>:
> The below policy was submitted by cgzones who has a good history of sending
> SE Linux patches for Debian. I have not tested it but it looks good and works
> for them.
>
> Description: Policy for monit host monitoring daemon
> Bug-Debian: https://bugs.debian.org/691283
>
> Origin: cgzones <[email protected]>
> Reviewed-By: Russell Coker <[email protected]>
> Last-Update: 2016-12-27
>
> Index: refpolicy/policy/modules/contrib/monit.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.fc
> @@ -0,0 +1,7 @@
> +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
> +/usr/sbin/monit gen_context(system_u:object_r:monit_exec_t,s0)
> +/usr/bin/monit gen_context(system_u:object_r:monit_exec_t,s0)
> +
> +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_lib_t,s0)
> +/var/log/monit(/.*)? gen_context(system_u:object_r:monit_log_t,s0)
> +/var/log/monit.* -- gen_context(system_u:object_r:monit_log_t,s0)
> Index: refpolicy/policy/modules/contrib/monit.if
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> Index: refpolicy/policy/modules/contrib/monit.te
> ===================================================================
> --- /dev/null
> +++ refpolicy/policy/modules/contrib/monit.te
> @@ -0,0 +1,74 @@
> +policy_module(monit,1.0.0)
> +
> +#### file/domain-types
> +type monit_t;
> +domain_type(monit_t)
> +
> +type monit_exec_t;
> +files_type(monit_exec_t)
> +
> +type monit_etc_t;
> +files_type(monit_etc_t)
> +
> +type monit_lib_t;
> +files_type(monit_lib_t)
> +
> +type monit_port_t;
> +corenet_port(monit_port_t)
> +
> +type monit_log_t;
> +logging_log_file(monit_log_t)
> +logging_log_filetrans(monit_t, monit_log_t, {file dir})
> +
> +type monit_run_t;
> +files_pid_file(monit_run_t)
> +files_pid_filetrans(monit_t, monit_run_t, {file dir})
> +
> +#### monit_t
> +init_daemon_domain(monit_t, monit_exec_t)
> +init_domtrans_script(monit_t)
> +
> +allow monit_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> +allow monit_t self:tcp_socket { write read connect shutdown getopt create bind setopt listen accept };
> +allow monit_t self:udp_socket { write read connect shutdown getopt create ioctl getattr };
> +allow monit_t self:sem { read write unix_write };
> +allow monit_t self:capability { net_raw sys_ptrace dac_read_search dac_override };
> +allow monit_t self:rawip_socket { write read create setopt shutdown };
> +allow monit_t self:process { signal getpgid };
> +allow monit_t self:fifo_file { ioctl getattr };
> +allow monit_t monit_etc_t:dir list_dir_perms;
> +allow monit_t monit_etc_t:file read_file_perms;
> +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
> +allow monit_t monit_lib_t:dir manage_dir_perms;
> +allow monit_t monit_lib_t:file manage_file_perms;
> +allow monit_t monit_log_t:file manage_file_perms;
> +allow monit_t monit_run_t:file manage_file_perms;
> +
> +allow monit_t monit_port_t:tcp_socket name_bind;
> +corenet_tcp_bind_generic_node(monit_t)
> +
> +corenet_tcp_connect_all_ports(monit_t)
> +
> +corecmd_exec_bin(monit_t)
> +corecmd_exec_shell(monit_t)
> +
> +miscfiles_read_localization(monit_t)
> +dev_read_urand(monit_t)
> +userdom_dontaudit_search_user_home_dirs(monit_t)
> +files_read_etc_files(monit_t)
> +files_read_all_pids(monit_t)
> +sysnet_read_config(monit_t)
> +files_search_var_lib(monit_t)
> +files_read_etc_runtime_files(monit_t)
> +
> +dev_list_sysfs(monit_t)
> +kernel_read_system_state(monit_t)
> +storage_getattr_fixed_disk_dev(monit_t)
> +fs_getattr_xattr_fs(monit_t)
> +
> +domain_read_all_domains_state(monit_t)
> +domain_getpgid_all_domains(monit_t)
> +
> +## running monit from root console
> +domain_use_interactive_fds(monit_t)
> +userdom_use_user_ptys(monit_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Saturday, 31 December 2016 11:21:57 AM AEDT cgzones wrote:
> please do not apply this patch.
>
> This version is some years old.
> I am currently using a newer version over here:
> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches
> /0071-add-monit-module.patch which I am planning to send upstream in the
> near future.
OK I've updated my policy tree to that newer patch. I removed the init.if
change because I have had some problems with changes in that area in the past
and it's something that needs a little more consideration than I have time for
at the moment.
Please send your change upstream at your earliest convenience. I'd like to
redeuce the amount of diffs between my policy and upstream after stretch is
released.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/