[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Mon, 07 Feb 2022 02:15:03
Message-Id:	`1644199661.9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb.perfinion@gentoo`

1

commit:     9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb

2

Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>

3

AuthorDate: Fri Jan 28 00:22:55 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  7 02:07:41 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fe987d0

7

8

node_exporter: Added initial policy.

9

10

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 policy/modules/services/node_exporter.fc |  6 +++

14

 policy/modules/services/node_exporter.if |  1 +

15

 policy/modules/services/node_exporter.te | 73 ++++++++++++++++++++++++++++++++

16

 3 files changed, 80 insertions(+)

17

18

diff --git a/policy/modules/services/node_exporter.fc b/policy/modules/services/node_exporter.fc

19

new file mode 100644

20

index 00000000..f2527d15

21

--- /dev/null

22

+++ b/policy/modules/services/node_exporter.fc

23

@@ -0,0 +1,6 @@

24

+/run/node_exporter\.pid	--	gen_context(system_u:object_r:node_exporter_runtime_t,s0)

25

+

26

+/usr/sbin/node_exporter	--	gen_context(system_u:object_r:node_exporter_exec_t,s0)

27

+

28

+/var/lib/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_var_lib_t,s0)

29

+/var/log/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_log_t,s0)

30

31

diff --git a/policy/modules/services/node_exporter.if b/policy/modules/services/node_exporter.if

32

new file mode 100644

33

index 00000000..0cceb87e

34

--- /dev/null

35

+++ b/policy/modules/services/node_exporter.if

36

@@ -0,0 +1 @@

37

+## <summary>Prometheus Node Exporter</summary>

38

39

diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te

40

new file mode 100644

41

index 00000000..7b74a327

42

--- /dev/null

43

+++ b/policy/modules/services/node_exporter.te

44

@@ -0,0 +1,73 @@

45

+policy_module(node_exporter)

46

+

47

+########################################

48

+#

49

+# Declarations

50

+#

51

+

52

+type node_exporter_t;

53

+type node_exporter_exec_t;

54

+init_daemon_domain(node_exporter_t, node_exporter_exec_t)

55

+

56

+type node_exporter_runtime_t;

57

+files_runtime_file(node_exporter_runtime_t)

58

+

59

+type node_exporter_var_lib_t;

60

+files_type(node_exporter_var_lib_t)

61

+

62

+type node_exporter_log_t;

63

+logging_log_file(node_exporter_log_t)

64

+

65

+########################################

66

+#

67

+# Local policy

68

+#

69

+

70

+allow node_exporter_t self:fifo_file rw_fifo_file_perms;

71

+allow node_exporter_t self:process { getsched signal };

72

+allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;

73

+allow node_exporter_t self:tcp_socket create_stream_socket_perms;

74

+allow node_exporter_t self:udp_socket create_socket_perms;

75

+

76

+manage_files_pattern(node_exporter_t, node_exporter_runtime_t, node_exporter_runtime_t)

77

+files_runtime_filetrans(node_exporter_t, node_exporter_runtime_t, file)

78

+

79

+manage_dirs_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)

80

+manage_files_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)

81

+files_var_lib_filetrans(node_exporter_t, node_exporter_var_lib_t, { dir file })

82

+

83

+append_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)

84

+create_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)

85

+setattr_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)

86

+logging_log_filetrans(node_exporter_t, node_exporter_log_t, { dir file })

87

+

88

+# Also uses port 9100

89

+corenet_tcp_bind_hplip_port(node_exporter_t)

90

+corenet_tcp_bind_generic_node(node_exporter_t)

91

+

92

+dev_read_sysfs(node_exporter_t)

93

+

94

+fs_getattr_all_fs(node_exporter_t)

95

+

96

+init_read_state(node_exporter_t)

97

+

98

+kernel_read_fs_sysctls(node_exporter_t)

99

+kernel_read_kernel_sysctls(node_exporter_t)

100

+kernel_read_net_sysctls(node_exporter_t)

101

+kernel_read_network_state(node_exporter_t)

102

+kernel_read_software_raid_state(node_exporter_t)

103

+kernel_read_system_state(node_exporter_t)

104

+

105

+ifdef(`init_systemd',`

106

+	dbus_system_bus_client(node_exporter_t)

107

+

108

+	init_dbus_chat(node_exporter_t)

109

+	init_get_all_units_status(node_exporter_t)

110

+	init_get_system_status(node_exporter_t)

111

+')

112

+

113

+optional_policy(`

114

+	kernel_read_rpc_sysctls(node_exporter_t)

115

+

116

+	rpc_search_nfs_state_data(node_exporter_t)

117

+')

1	commit: 9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb
2	Author: Jonathan Davies <jpds <AT> protonmail <DOT> com>
3	AuthorDate: Fri Jan 28 00:22:55 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 7 02:07:41 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fe987d0
7
8	node_exporter: Added initial policy.
9
10	Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	policy/modules/services/node_exporter.fc \| 6 +++
14	policy/modules/services/node_exporter.if \| 1 +
15	policy/modules/services/node_exporter.te \| 73 ++++++++++++++++++++++++++++++++
16	3 files changed, 80 insertions(+)
17
18	diff --git a/policy/modules/services/node_exporter.fc b/policy/modules/services/node_exporter.fc
19	new file mode 100644
20	index 00000000..f2527d15
21	--- /dev/null
22	+++ b/policy/modules/services/node_exporter.fc
23	@@ -0,0 +1,6 @@
24	+/run/node_exporter\.pid -- gen_context(system_u:object_r:node_exporter_runtime_t,s0)
25	+
26	+/usr/sbin/node_exporter -- gen_context(system_u:object_r:node_exporter_exec_t,s0)
27	+
28	+/var/lib/node_exporter(/.*)? gen_context(system_u:object_r:node_exporter_var_lib_t,s0)
29	+/var/log/node_exporter(/.*)? gen_context(system_u:object_r:node_exporter_log_t,s0)
30
31	diff --git a/policy/modules/services/node_exporter.if b/policy/modules/services/node_exporter.if
32	new file mode 100644
33	index 00000000..0cceb87e
34	--- /dev/null
35	+++ b/policy/modules/services/node_exporter.if
36	@@ -0,0 +1 @@
37	+## <summary>Prometheus Node Exporter</summary>
38
39	diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te
40	new file mode 100644
41	index 00000000..7b74a327
42	--- /dev/null
43	+++ b/policy/modules/services/node_exporter.te
44	@@ -0,0 +1,73 @@
45	+policy_module(node_exporter)
46	+
47	+########################################
48	+#
49	+# Declarations
50	+#
51	+
52	+type node_exporter_t;
53	+type node_exporter_exec_t;
54	+init_daemon_domain(node_exporter_t, node_exporter_exec_t)
55	+
56	+type node_exporter_runtime_t;
57	+files_runtime_file(node_exporter_runtime_t)
58	+
59	+type node_exporter_var_lib_t;
60	+files_type(node_exporter_var_lib_t)
61	+
62	+type node_exporter_log_t;
63	+logging_log_file(node_exporter_log_t)
64	+
65	+########################################
66	+#
67	+# Local policy
68	+#
69	+
70	+allow node_exporter_t self:fifo_file rw_fifo_file_perms;
71	+allow node_exporter_t self:process { getsched signal };
72	+allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;
73	+allow node_exporter_t self:tcp_socket create_stream_socket_perms;
74	+allow node_exporter_t self:udp_socket create_socket_perms;
75	+
76	+manage_files_pattern(node_exporter_t, node_exporter_runtime_t, node_exporter_runtime_t)
77	+files_runtime_filetrans(node_exporter_t, node_exporter_runtime_t, file)
78	+
79	+manage_dirs_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
80	+manage_files_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
81	+files_var_lib_filetrans(node_exporter_t, node_exporter_var_lib_t, { dir file })
82	+
83	+append_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
84	+create_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
85	+setattr_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
86	+logging_log_filetrans(node_exporter_t, node_exporter_log_t, { dir file })
87	+
88	+# Also uses port 9100
89	+corenet_tcp_bind_hplip_port(node_exporter_t)
90	+corenet_tcp_bind_generic_node(node_exporter_t)
91	+
92	+dev_read_sysfs(node_exporter_t)
93	+
94	+fs_getattr_all_fs(node_exporter_t)
95	+
96	+init_read_state(node_exporter_t)
97	+
98	+kernel_read_fs_sysctls(node_exporter_t)
99	+kernel_read_kernel_sysctls(node_exporter_t)
100	+kernel_read_net_sysctls(node_exporter_t)
101	+kernel_read_network_state(node_exporter_t)
102	+kernel_read_software_raid_state(node_exporter_t)
103	+kernel_read_system_state(node_exporter_t)
104	+
105	+ifdef(`init_systemd',`
106	+ dbus_system_bus_client(node_exporter_t)
107	+
108	+ init_dbus_chat(node_exporter_t)
109	+ init_get_all_units_status(node_exporter_t)
110	+ init_get_system_status(node_exporter_t)
111	+')
112	+
113	+optional_policy(`
114	+ kernel_read_rpc_sysctls(node_exporter_t)
115	+
116	+ rpc_search_nfs_state_data(node_exporter_t)
117	+')

Gentoo Archives: gentoo-commits