2017-02-16 09:32:50

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] base monit policy

Here is a patch for the monit policy without the monit_interactive_t domain.
This should be a minimally functional monit policy and we can then build on it
with the monit_interactive_t domain (or maybe a different way of achieving the
same goal).


From: cgzones <[email protected]>
Date: Fri, 25 Nov 2016 22:53:35 +0100
Subject: add monit module

---

Index: refpolicy-2.20170216/policy/modules/contrib/monit.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20170216/policy/modules/contrib/monit.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9)
+/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
+
+/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0)
+
+/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
+
+/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0)
+
+/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0)
+
+/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0)
+
Index: refpolicy-2.20170216/policy/modules/contrib/monit.te
===================================================================
--- /dev/null
+++ refpolicy-2.20170216/policy/modules/contrib/monit.te
@@ -0,0 +1,122 @@
+policy_module(monit, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow monit to start/stop services
+## </p>
+## </desc>
+gen_tunable(monit_startstop_services, false)
+
+attribute_role monit_interactive_roles;
+
+type monit_t;
+type monit_exec_t;
+init_daemon_domain(monit_t, monit_exec_t)
+
+type monit_etc_t;
+files_config_file(monit_etc_t)
+files_security_file(monit_etc_t) # may contain password for monit webinterface
+
+type monit_initrc_exec_t;
+init_script_file(monit_initrc_exec_t)
+
+type monit_log_t;
+logging_log_file(monit_log_t)
+
+type monit_run_t;
+files_pid_file(monit_run_t)
+
+type monit_unit_t;
+init_unit_file(monit_unit_t)
+
+type monit_var_lib_t;
+files_type(monit_var_lib_t)
+
+########################################
+#
+# Daemon policy
+#
+
+# dac_read_search : read /run/exim/*
+# net_raw : create raw sockets
+# sys_ptrace : trace processes
+allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
+# kernel bug
+dontaudit monit_t self:capability dac_override;
+# setsockopt
+dontaudit monit_t self:capability net_admin;
+
+allow monit_t self:process { getpgid sigkill signal };
+allow monit_t self:fifo_file rw_fifo_file_perms;
+allow monit_t self:netlink_route_socket r_netlink_socket_perms;
+allow monit_t self:rawip_socket connected_socket_perms;
+allow monit_t self:sem rw_sem_perms;
+allow monit_t self:tcp_socket create_stream_socket_perms;
+allow monit_t self:udp_socket create_socket_perms;
+allow monit_t self:unix_stream_socket create_stream_socket_perms;
+
+allow monit_t monit_etc_t:dir list_dir_perms;
+allow monit_t monit_etc_t:file read_file_perms;
+allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+
+allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
+logging_log_filetrans(monit_t, monit_log_t, file)
+
+allow monit_t monit_run_t:file manage_file_perms;
+files_pid_filetrans(monit_t, monit_run_t, file)
+
+allow monit_t monit_var_lib_t:dir manage_dir_perms;
+allow monit_t monit_var_lib_t:file manage_file_perms;
+
+kernel_read_system_state(monit_t)
+
+auth_use_nsswitch(monit_t)
+corecmd_exec_bin(monit_t)
+corenet_tcp_bind_generic_node(monit_t)
+corenet_tcp_bind_monit_port(monit_t)
+corenet_tcp_connect_all_ports(monit_t)
+
+dev_read_sysfs(monit_t)
+dev_read_urand(monit_t)
+
+domain_getpgid_all_domains(monit_t)
+domain_read_all_domains_state(monit_t)
+
+files_read_all_pids(monit_t)
+
+fs_getattr_dos_fs(monit_t)
+fs_getattr_tmpfs(monit_t)
+fs_getattr_xattr_fs(monit_t)
+fs_search_dos(monit_t)
+
+miscfiles_read_localization(monit_t)
+
+storage_getattr_fixed_disk_dev(monit_t)
+
+sysnet_read_config(monit_t)
+
+tunable_policy(`monit_startstop_services',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ attribute init_script_file_type;
+ class service { start status stop };
+ ')
+ allow monit_t init_script_file_type:service { start status stop };
+
+ init_get_all_units_status(monit_t)
+ init_get_system_status(monit_t)
+ init_start_all_units(monit_t)
+ init_stop_all_units(monit_t)
+ init_stream_connect(monit_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(monit_t)
+')
+
Index: refpolicy-2.20170216/policy/modules/contrib/monit.if
===================================================================
--- /dev/null
+++ refpolicy-2.20170216/policy/modules/contrib/monit.if
@@ -0,0 +1 @@
+## <summary>Monit - utility for monitoring services on a Unix system.</summary>


2017-02-18 13:17:29

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] base monit policy

On 02/16/17 04:32, Russell Coker via refpolicy wrote:
> Here is a patch for the monit policy without the monit_interactive_t domain.
> This should be a minimally functional monit policy and we can then build on it
> with the monit_interactive_t domain (or maybe a different way of achieving the
> same goal).
>
>
> From: cgzones <[email protected]>
> Date: Fri, 25 Nov 2016 22:53:35 +0100
> Subject: add monit module
>
> ---
>
> Index: refpolicy-2.20170216/policy/modules/contrib/monit.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20170216/policy/modules/contrib/monit.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9)
> +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
> +
> +/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0)
> +
> +/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
> +
> +/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0)
> +
> +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0)
> +
> +/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0)
> +
> Index: refpolicy-2.20170216/policy/modules/contrib/monit.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20170216/policy/modules/contrib/monit.te
> @@ -0,0 +1,122 @@
> +policy_module(monit, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow monit to start/stop services
> +## </p>
> +## </desc>
> +gen_tunable(monit_startstop_services, false)
> +
> +attribute_role monit_interactive_roles;
> +
> +type monit_t;
> +type monit_exec_t;
> +init_daemon_domain(monit_t, monit_exec_t)
> +
> +type monit_etc_t;
> +files_config_file(monit_etc_t)
> +files_security_file(monit_etc_t) # may contain password for monit webinterface
> +
> +type monit_initrc_exec_t;
> +init_script_file(monit_initrc_exec_t)
> +
> +type monit_log_t;
> +logging_log_file(monit_log_t)
> +
> +type monit_run_t;
> +files_pid_file(monit_run_t)
> +
> +type monit_unit_t;
> +init_unit_file(monit_unit_t)
> +
> +type monit_var_lib_t;
> +files_type(monit_var_lib_t)
> +
> +########################################
> +#
> +# Daemon policy
> +#
> +
> +# dac_read_search : read /run/exim/*
> +# net_raw : create raw sockets
> +# sys_ptrace : trace processes
> +allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
> +# kernel bug
> +dontaudit monit_t self:capability dac_override;
> +# setsockopt
> +dontaudit monit_t self:capability net_admin;
> +
> +allow monit_t self:process { getpgid sigkill signal };
> +allow monit_t self:fifo_file rw_fifo_file_perms;
> +allow monit_t self:netlink_route_socket r_netlink_socket_perms;
> +allow monit_t self:rawip_socket connected_socket_perms;
> +allow monit_t self:sem rw_sem_perms;
> +allow monit_t self:tcp_socket create_stream_socket_perms;
> +allow monit_t self:udp_socket create_socket_perms;
> +allow monit_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow monit_t monit_etc_t:dir list_dir_perms;
> +allow monit_t monit_etc_t:file read_file_perms;
> +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
> +
> +allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
> +logging_log_filetrans(monit_t, monit_log_t, file)
> +
> +allow monit_t monit_run_t:file manage_file_perms;
> +files_pid_filetrans(monit_t, monit_run_t, file)
> +
> +allow monit_t monit_var_lib_t:dir manage_dir_perms;
> +allow monit_t monit_var_lib_t:file manage_file_perms;
> +
> +kernel_read_system_state(monit_t)
> +
> +auth_use_nsswitch(monit_t)
> +corecmd_exec_bin(monit_t)
> +corenet_tcp_bind_generic_node(monit_t)
> +corenet_tcp_bind_monit_port(monit_t)
> +corenet_tcp_connect_all_ports(monit_t)
> +
> +dev_read_sysfs(monit_t)
> +dev_read_urand(monit_t)
> +
> +domain_getpgid_all_domains(monit_t)
> +domain_read_all_domains_state(monit_t)
> +
> +files_read_all_pids(monit_t)
> +
> +fs_getattr_dos_fs(monit_t)
> +fs_getattr_tmpfs(monit_t)
> +fs_getattr_xattr_fs(monit_t)
> +fs_search_dos(monit_t)
> +
> +miscfiles_read_localization(monit_t)
> +
> +storage_getattr_fixed_disk_dev(monit_t)
> +
> +sysnet_read_config(monit_t)
> +
> +tunable_policy(`monit_startstop_services',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + attribute init_script_file_type;
> + class service { start status stop };
> + ')
> + allow monit_t init_script_file_type:service { start status stop };
> +
> + init_get_all_units_status(monit_t)
> + init_get_system_status(monit_t)
> + init_start_all_units(monit_t)
> + init_stop_all_units(monit_t)
> + init_stream_connect(monit_t)
> + ')
> +')

This patch looks ok, except for this part. Using the attribute like
this isn't acceptable. Also, if systemd isn't enabled, this is an empty
block, so the ifdef should be on the outside and tunable_policy nested
inside.




--
Chris PeBenito

2017-02-19 10:07:50

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] base monit policy

On Sun, 19 Feb 2017 12:17:29 AM Chris PeBenito wrote:
> On 02/16/17 04:32, Russell Coker via refpolicy wrote:
> > Here is a patch for the monit policy without the monit_interactive_t
> > domain. This should be a minimally functional monit policy and we can
> > then build on it with the monit_interactive_t domain (or maybe a
> > different way of achieving the same goal).
> >
> >
> > From: cgzones <[email protected]>
> > Date: Fri, 25 Nov 2016 22:53:35 +0100
> > Subject: add monit module
> >
> > ---
> >
> > +
> > + init_get_all_units_status(monit_t)
> > + init_get_system_status(monit_t)
> > + init_start_all_units(monit_t)
> > + init_stop_all_units(monit_t)
> > + init_stream_connect(monit_t)
> > + ')
> > +')
>
> This patch looks ok, except for this part. Using the attribute like
> this isn't acceptable. Also, if systemd isn't enabled, this is an empty
> block, so the ifdef should be on the outside and tunable_policy nested
> inside.

OK, I've attached a new version that fixes this.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
An embedded message was scrubbed...
From: cgzones <[email protected]>
Subject: add monit module
Date: Fri, 25 Nov 2016 22:53:35 +0100
Size: 4451
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20170219/903933e2/attachment.mht

2017-02-19 21:35:44

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] base monit policy

On 02/19/17 05:07, Russell Coker wrote:
> On Sun, 19 Feb 2017 12:17:29 AM Chris PeBenito wrote:
>> On 02/16/17 04:32, Russell Coker via refpolicy wrote:
>>> Here is a patch for the monit policy without the monit_interactive_t
>>> domain. This should be a minimally functional monit policy and we can
>>> then build on it with the monit_interactive_t domain (or maybe a
>>> different way of achieving the same goal).
>>>
>>>
>>> From: cgzones <[email protected]>
>>> Date: Fri, 25 Nov 2016 22:53:35 +0100
>>> Subject: add monit module
>>>
>>> ---
>>>
>>> +
>>> + init_get_all_units_status(monit_t)
>>> + init_get_system_status(monit_t)
>>> + init_start_all_units(monit_t)
>>> + init_stop_all_units(monit_t)
>>> + init_stream_connect(monit_t)
>>> + ')
>>> +')
>>
>> This patch looks ok, except for this part. Using the attribute like
>> this isn't acceptable. Also, if systemd isn't enabled, this is an empty
>> block, so the ifdef should be on the outside and tunable_policy nested
>> inside.
>
> OK, I've attached a new version that fixes this.

Merged, though I made a few trivial changes.

--
Chris PeBenito