From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 62397139694 for ; Thu, 30 Mar 2017 17:07:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 61997234014; Thu, 30 Mar 2017 17:06:46 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 337B0234014 for ; Thu, 30 Mar 2017 17:06:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 98318341646 for ; Thu, 30 Mar 2017 17:06:24 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DAFCD73E9 for ; Thu, 30 Mar 2017 17:06:21 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1490882318.b6371921229cf02860e383fe970d331ebcaad159.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/monit.fc policy/modules/contrib/monit.if policy/modules/contrib/monit.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: b6371921229cf02860e383fe970d331ebcaad159 X-VCS-Branch: master Date: Thu, 30 Mar 2017 17:06:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e03feb7b-bf8c-45e2-a888-cf58dfe45297 X-Archives-Hash: 8122886a8ed21d147d5068aec0423bb6 commit: b6371921229cf02860e383fe970d331ebcaad159 Author: cgzones googlemail com> AuthorDate: Wed Mar 8 20:27:57 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 13:58:38 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921 monit: update add monit cli policy and several interfaces policy/modules/contrib/monit.fc | 6 +- policy/modules/contrib/monit.if | 127 ++++++++++++++++++++++++++++++++++++- policy/modules/contrib/monit.te | 134 ++++++++++++++++++++++++++-------------- 3 files changed, 217 insertions(+), 50 deletions(-) diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc index d47fa153..273aad3e 100644 --- a/policy/modules/contrib/monit.fc +++ b/policy/modules/contrib/monit.fc @@ -1,7 +1,8 @@ /etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) -/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) -/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0) +/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0) + +/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0) /usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) @@ -10,4 +11,3 @@ /var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) /var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) - diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if index d387f435..6107ef9d 100644 --- a/policy/modules/contrib/monit.if +++ b/policy/modules/contrib/monit.if @@ -1 +1,126 @@ -## Monit system monitoring daemon +## Monit - utility for monitoring services on a Unix system. + +######################################## +## +## Execute a domain transition to run monit cli. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`monit_domtrans_cli',` + gen_require(` + type monit_cli_t, monit_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, monit_exec_t, monit_cli_t) +') + +######################################## +## +## Execute monit in the monit cli domain, +## and allow the specified role +## the monit cli domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`monit_run_cli',` + gen_require(` + attribute_role monit_cli_roles; + ') + + monit_domtrans_cli($1) + roleattribute $2 monit_cli_roles; +') + +######################################## +## +## Reload the monit daemon. +## +## +## +## Domain allowed access. +## +## +# +interface(`monit_reload',` + gen_require(` + class service { reload status }; + type monit_initrc_exec_t; + ') + + allow $1 monit_initrc_exec_t:service { reload status }; +') + +######################################## +## +## Start and stop the monit daemon. +## +## +## +## Domain allowed access. +## +## +# +interface(`monit_startstop_service',` + gen_require(` + class service { start status stop }; + type monit_initrc_exec_t; + ') + + allow $1 monit_initrc_exec_t:service { start status stop }; +') + +######################################## +## +## All of the rules required to +## administrate an monit environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`monit_admin',` + gen_require(` + type monit_t, monit_conf_t, monit_initrc_exec_t; + type monit_log_t, monit_pid_t; + type monit_unit_t, monit_var_lib_t; + ') + + admin_process_pattern($1, monit_t) + + init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t) + + files_search_etc($1) + admin_pattern($1, monit_conf_t) + + logging_search_logs($1) + admin_pattern($1, monit_log_t) + + files_search_pids($1) + admin_pattern($1, monit_pid_t) + + files_search_var_lib($1) + admin_pattern($1, monit_var_lib_t) + + monit_run_cli($1, $2) +') diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te index 14aeddcd..470c44f4 100644 --- a/policy/modules/contrib/monit.te +++ b/policy/modules/contrib/monit.te @@ -12,24 +12,29 @@ policy_module(monit, 1.0.1) ## gen_tunable(monit_startstop_services, false) -attribute_role monit_interactive_roles; +attribute_role monit_cli_roles; -type monit_t; +attribute monit_domain; + +type monit_t, monit_domain; type monit_exec_t; init_daemon_domain(monit_t, monit_exec_t) -type monit_etc_t; -files_config_file(monit_etc_t) -files_security_file(monit_etc_t) # may contain password for monit webinterface +type monit_conf_t alias monit_etc_t; +files_security_file(monit_conf_t) # may contain password for monit webinterface type monit_initrc_exec_t; init_script_file(monit_initrc_exec_t) +type monit_cli_t, monit_domain; +application_domain(monit_cli_t, monit_exec_t) +role monit_cli_roles types monit_cli_t; + type monit_log_t; logging_log_file(monit_log_t) -type monit_run_t; -files_pid_file(monit_run_t) +type monit_pid_t alias monit_run_t; +files_pid_file(monit_pid_t) type monit_unit_t; init_unit_file(monit_unit_t) @@ -39,6 +44,37 @@ files_type(monit_var_lib_t) ######################################## # +# Common monit domain policy +# + +allow monit_domain self:unix_stream_socket create_stream_socket_perms; +allow monit_domain monit_t:process { getpgid sigkill signal }; + +allow monit_domain monit_conf_t:dir list_dir_perms; +allow monit_domain monit_conf_t:file read_file_perms; +allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms; + +kernel_read_system_state(monit_domain) + +# can not use with attributes +#auth_use_nsswitch(monit_domain) + +# read /sys/class/net/eth0 /sys/devices/system/cpu +dev_read_sysfs(monit_domain) +dev_read_urand(monit_domain) + +fs_getattr_dos_fs(monit_domain) +fs_getattr_dos_dirs(monit_domain) +fs_getattr_tmpfs(monit_domain) +fs_getattr_xattr_fs(monit_domain) + +miscfiles_read_localization(monit_domain) + +# disk usage of sd card +storage_getattr_removable_dev(monit_domain) + +######################################## +# # Daemon policy # @@ -46,72 +82,78 @@ files_type(monit_var_lib_t) # net_raw : create raw sockets # sys_ptrace : trace processes allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; -# kernel bug -dontaudit monit_t self:capability dac_override; # setsockopt dontaudit monit_t self:capability net_admin; -allow monit_t self:process { getpgid sigkill signal }; allow monit_t self:fifo_file rw_fifo_file_perms; -allow monit_t self:netlink_route_socket r_netlink_socket_perms; allow monit_t self:rawip_socket connected_socket_perms; -allow monit_t self:sem rw_sem_perms; -allow monit_t self:tcp_socket create_stream_socket_perms; -allow monit_t self:udp_socket create_socket_perms; -allow monit_t self:unix_stream_socket create_stream_socket_perms; - -allow monit_t monit_etc_t:dir list_dir_perms; -allow monit_t monit_etc_t:file read_file_perms; -allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; +allow monit_t self:tcp_socket server_stream_socket_perms; allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; logging_log_filetrans(monit_t, monit_log_t, file) -allow monit_t monit_run_t:file manage_file_perms; -files_pid_filetrans(monit_t, monit_run_t, file) +allow monit_t monit_pid_t:file manage_file_perms; +files_pid_filetrans(monit_t, monit_pid_t, file) allow monit_t monit_var_lib_t:dir manage_dir_perms; allow monit_t monit_var_lib_t:file manage_file_perms; -kernel_read_system_state(monit_t) +auth_use_nsswitch(monit_t) corecmd_exec_bin(monit_t) + corenet_tcp_bind_generic_node(monit_t) corenet_tcp_bind_monit_port(monit_t) corenet_tcp_connect_all_ports(monit_t) -dev_read_sysfs(monit_t) -dev_read_urand(monit_t) - domain_getpgid_all_domains(monit_t) domain_read_all_domains_state(monit_t) files_read_all_pids(monit_t) -fs_getattr_dos_fs(monit_t) -fs_getattr_tmpfs(monit_t) -fs_getattr_xattr_fs(monit_t) -fs_search_dos(monit_t) - -storage_getattr_fixed_disk_dev(monit_t) - -auth_use_nsswitch(monit_t) - -miscfiles_read_localization(monit_t) - -sysnet_read_config(monit_t) +ifdef(`hide_broken_symptoms',` + # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 + dontaudit monit_t self:capability dac_override; +') -ifdef(`init_systemd',` - tunable_policy(`monit_startstop_services',` - init_get_all_units_status(monit_t) - init_get_system_status(monit_t) - init_startstop_all_script_services(monit_t) - init_start_all_units(monit_t) - init_stop_all_units(monit_t) - init_stream_connect(monit_t) - ') +tunable_policy(`monit_startstop_services',` + init_get_all_units_status(monit_t) + init_get_system_status(monit_t) + init_start_all_units(monit_t) + init_stop_all_units(monit_t) + init_stream_connect(monit_t) ') optional_policy(` dbus_system_bus_client(monit_t) ') + +######################################## +# +# Client policy +# + +allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms }; + +allow monit_cli_t monit_pid_t:file rw_file_perms; + +allow monit_cli_t monit_var_lib_t:dir search_dir_perms; +allow monit_cli_t monit_var_lib_t:file rw_file_perms; + +auth_use_nsswitch(monit_cli_t) + +corecmd_check_exec_bin_files(monit_cli_t) + +corenet_tcp_connect_monit_port(monit_cli_t) + +dev_read_rand(monit_cli_t) + +domain_use_interactive_fds(monit_cli_t) + +files_search_pids(monit_cli_t) +files_search_var_lib(monit_cli_t) + +logging_search_logs(monit_cli_t) + +userdom_dontaudit_search_user_home_dirs(monit_cli_t) +userdom_use_inherited_user_terminals(monit_cli_t)