1 |
commit: b6371921229cf02860e383fe970d331ebcaad159 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Wed Mar 8 20:27:57 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Mar 30 13:58:38 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921 |
7 |
|
8 |
monit: update |
9 |
|
10 |
add monit cli policy and several interfaces |
11 |
|
12 |
policy/modules/contrib/monit.fc | 6 +- |
13 |
policy/modules/contrib/monit.if | 127 ++++++++++++++++++++++++++++++++++++- |
14 |
policy/modules/contrib/monit.te | 134 ++++++++++++++++++++++++++-------------- |
15 |
3 files changed, 217 insertions(+), 50 deletions(-) |
16 |
|
17 |
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc |
18 |
index d47fa153..273aad3e 100644 |
19 |
--- a/policy/modules/contrib/monit.fc |
20 |
+++ b/policy/modules/contrib/monit.fc |
21 |
@@ -1,7 +1,8 @@ |
22 |
/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) |
23 |
-/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) |
24 |
|
25 |
-/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0) |
26 |
+/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0) |
27 |
+ |
28 |
+/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0) |
29 |
|
30 |
/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) |
31 |
|
32 |
@@ -10,4 +11,3 @@ |
33 |
/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) |
34 |
|
35 |
/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) |
36 |
- |
37 |
|
38 |
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if |
39 |
index d387f435..6107ef9d 100644 |
40 |
--- a/policy/modules/contrib/monit.if |
41 |
+++ b/policy/modules/contrib/monit.if |
42 |
@@ -1 +1,126 @@ |
43 |
-## <summary>Monit system monitoring daemon</summary> |
44 |
+## <summary>Monit - utility for monitoring services on a Unix system.</summary> |
45 |
+ |
46 |
+######################################## |
47 |
+## <summary> |
48 |
+## Execute a domain transition to run monit cli. |
49 |
+## </summary> |
50 |
+## <param name="domain"> |
51 |
+## <summary> |
52 |
+## Domain allowed to transition. |
53 |
+## </summary> |
54 |
+## </param> |
55 |
+# |
56 |
+interface(`monit_domtrans_cli',` |
57 |
+ gen_require(` |
58 |
+ type monit_cli_t, monit_exec_t; |
59 |
+ ') |
60 |
+ |
61 |
+ corecmd_search_bin($1) |
62 |
+ domtrans_pattern($1, monit_exec_t, monit_cli_t) |
63 |
+') |
64 |
+ |
65 |
+######################################## |
66 |
+## <summary> |
67 |
+## Execute monit in the monit cli domain, |
68 |
+## and allow the specified role |
69 |
+## the monit cli domain. |
70 |
+## </summary> |
71 |
+## <param name="domain"> |
72 |
+## <summary> |
73 |
+## Domain allowed to transition. |
74 |
+## </summary> |
75 |
+## </param> |
76 |
+## <param name="role"> |
77 |
+## <summary> |
78 |
+## Role allowed access. |
79 |
+## </summary> |
80 |
+## </param> |
81 |
+# |
82 |
+interface(`monit_run_cli',` |
83 |
+ gen_require(` |
84 |
+ attribute_role monit_cli_roles; |
85 |
+ ') |
86 |
+ |
87 |
+ monit_domtrans_cli($1) |
88 |
+ roleattribute $2 monit_cli_roles; |
89 |
+') |
90 |
+ |
91 |
+######################################## |
92 |
+## <summary> |
93 |
+## Reload the monit daemon. |
94 |
+## </summary> |
95 |
+## <param name="domain"> |
96 |
+## <summary> |
97 |
+## Domain allowed access. |
98 |
+## </summary> |
99 |
+## </param> |
100 |
+# |
101 |
+interface(`monit_reload',` |
102 |
+ gen_require(` |
103 |
+ class service { reload status }; |
104 |
+ type monit_initrc_exec_t; |
105 |
+ ') |
106 |
+ |
107 |
+ allow $1 monit_initrc_exec_t:service { reload status }; |
108 |
+') |
109 |
+ |
110 |
+######################################## |
111 |
+## <summary> |
112 |
+## Start and stop the monit daemon. |
113 |
+## </summary> |
114 |
+## <param name="domain"> |
115 |
+## <summary> |
116 |
+## Domain allowed access. |
117 |
+## </summary> |
118 |
+## </param> |
119 |
+# |
120 |
+interface(`monit_startstop_service',` |
121 |
+ gen_require(` |
122 |
+ class service { start status stop }; |
123 |
+ type monit_initrc_exec_t; |
124 |
+ ') |
125 |
+ |
126 |
+ allow $1 monit_initrc_exec_t:service { start status stop }; |
127 |
+') |
128 |
+ |
129 |
+######################################## |
130 |
+## <summary> |
131 |
+## All of the rules required to |
132 |
+## administrate an monit environment. |
133 |
+## </summary> |
134 |
+## <param name="domain"> |
135 |
+## <summary> |
136 |
+## Domain allowed access. |
137 |
+## </summary> |
138 |
+## </param> |
139 |
+## <param name="role"> |
140 |
+## <summary> |
141 |
+## Role allowed access. |
142 |
+## </summary> |
143 |
+## </param> |
144 |
+# |
145 |
+interface(`monit_admin',` |
146 |
+ gen_require(` |
147 |
+ type monit_t, monit_conf_t, monit_initrc_exec_t; |
148 |
+ type monit_log_t, monit_pid_t; |
149 |
+ type monit_unit_t, monit_var_lib_t; |
150 |
+ ') |
151 |
+ |
152 |
+ admin_process_pattern($1, monit_t) |
153 |
+ |
154 |
+ init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t) |
155 |
+ |
156 |
+ files_search_etc($1) |
157 |
+ admin_pattern($1, monit_conf_t) |
158 |
+ |
159 |
+ logging_search_logs($1) |
160 |
+ admin_pattern($1, monit_log_t) |
161 |
+ |
162 |
+ files_search_pids($1) |
163 |
+ admin_pattern($1, monit_pid_t) |
164 |
+ |
165 |
+ files_search_var_lib($1) |
166 |
+ admin_pattern($1, monit_var_lib_t) |
167 |
+ |
168 |
+ monit_run_cli($1, $2) |
169 |
+') |
170 |
|
171 |
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te |
172 |
index 14aeddcd..470c44f4 100644 |
173 |
--- a/policy/modules/contrib/monit.te |
174 |
+++ b/policy/modules/contrib/monit.te |
175 |
@@ -12,24 +12,29 @@ policy_module(monit, 1.0.1) |
176 |
## </desc> |
177 |
gen_tunable(monit_startstop_services, false) |
178 |
|
179 |
-attribute_role monit_interactive_roles; |
180 |
+attribute_role monit_cli_roles; |
181 |
|
182 |
-type monit_t; |
183 |
+attribute monit_domain; |
184 |
+ |
185 |
+type monit_t, monit_domain; |
186 |
type monit_exec_t; |
187 |
init_daemon_domain(monit_t, monit_exec_t) |
188 |
|
189 |
-type monit_etc_t; |
190 |
-files_config_file(monit_etc_t) |
191 |
-files_security_file(monit_etc_t) # may contain password for monit webinterface |
192 |
+type monit_conf_t alias monit_etc_t; |
193 |
+files_security_file(monit_conf_t) # may contain password for monit webinterface |
194 |
|
195 |
type monit_initrc_exec_t; |
196 |
init_script_file(monit_initrc_exec_t) |
197 |
|
198 |
+type monit_cli_t, monit_domain; |
199 |
+application_domain(monit_cli_t, monit_exec_t) |
200 |
+role monit_cli_roles types monit_cli_t; |
201 |
+ |
202 |
type monit_log_t; |
203 |
logging_log_file(monit_log_t) |
204 |
|
205 |
-type monit_run_t; |
206 |
-files_pid_file(monit_run_t) |
207 |
+type monit_pid_t alias monit_run_t; |
208 |
+files_pid_file(monit_pid_t) |
209 |
|
210 |
type monit_unit_t; |
211 |
init_unit_file(monit_unit_t) |
212 |
@@ -39,6 +44,37 @@ files_type(monit_var_lib_t) |
213 |
|
214 |
######################################## |
215 |
# |
216 |
+# Common monit domain policy |
217 |
+# |
218 |
+ |
219 |
+allow monit_domain self:unix_stream_socket create_stream_socket_perms; |
220 |
+allow monit_domain monit_t:process { getpgid sigkill signal }; |
221 |
+ |
222 |
+allow monit_domain monit_conf_t:dir list_dir_perms; |
223 |
+allow monit_domain monit_conf_t:file read_file_perms; |
224 |
+allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms; |
225 |
+ |
226 |
+kernel_read_system_state(monit_domain) |
227 |
+ |
228 |
+# can not use with attributes |
229 |
+#auth_use_nsswitch(monit_domain) |
230 |
+ |
231 |
+# read /sys/class/net/eth0 /sys/devices/system/cpu |
232 |
+dev_read_sysfs(monit_domain) |
233 |
+dev_read_urand(monit_domain) |
234 |
+ |
235 |
+fs_getattr_dos_fs(monit_domain) |
236 |
+fs_getattr_dos_dirs(monit_domain) |
237 |
+fs_getattr_tmpfs(monit_domain) |
238 |
+fs_getattr_xattr_fs(monit_domain) |
239 |
+ |
240 |
+miscfiles_read_localization(monit_domain) |
241 |
+ |
242 |
+# disk usage of sd card |
243 |
+storage_getattr_removable_dev(monit_domain) |
244 |
+ |
245 |
+######################################## |
246 |
+# |
247 |
# Daemon policy |
248 |
# |
249 |
|
250 |
@@ -46,72 +82,78 @@ files_type(monit_var_lib_t) |
251 |
# net_raw : create raw sockets |
252 |
# sys_ptrace : trace processes |
253 |
allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; |
254 |
-# kernel bug |
255 |
-dontaudit monit_t self:capability dac_override; |
256 |
# setsockopt |
257 |
dontaudit monit_t self:capability net_admin; |
258 |
|
259 |
-allow monit_t self:process { getpgid sigkill signal }; |
260 |
allow monit_t self:fifo_file rw_fifo_file_perms; |
261 |
-allow monit_t self:netlink_route_socket r_netlink_socket_perms; |
262 |
allow monit_t self:rawip_socket connected_socket_perms; |
263 |
-allow monit_t self:sem rw_sem_perms; |
264 |
-allow monit_t self:tcp_socket create_stream_socket_perms; |
265 |
-allow monit_t self:udp_socket create_socket_perms; |
266 |
-allow monit_t self:unix_stream_socket create_stream_socket_perms; |
267 |
- |
268 |
-allow monit_t monit_etc_t:dir list_dir_perms; |
269 |
-allow monit_t monit_etc_t:file read_file_perms; |
270 |
-allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; |
271 |
+allow monit_t self:tcp_socket server_stream_socket_perms; |
272 |
|
273 |
allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; |
274 |
logging_log_filetrans(monit_t, monit_log_t, file) |
275 |
|
276 |
-allow monit_t monit_run_t:file manage_file_perms; |
277 |
-files_pid_filetrans(monit_t, monit_run_t, file) |
278 |
+allow monit_t monit_pid_t:file manage_file_perms; |
279 |
+files_pid_filetrans(monit_t, monit_pid_t, file) |
280 |
|
281 |
allow monit_t monit_var_lib_t:dir manage_dir_perms; |
282 |
allow monit_t monit_var_lib_t:file manage_file_perms; |
283 |
|
284 |
-kernel_read_system_state(monit_t) |
285 |
+auth_use_nsswitch(monit_t) |
286 |
|
287 |
corecmd_exec_bin(monit_t) |
288 |
+ |
289 |
corenet_tcp_bind_generic_node(monit_t) |
290 |
corenet_tcp_bind_monit_port(monit_t) |
291 |
corenet_tcp_connect_all_ports(monit_t) |
292 |
|
293 |
-dev_read_sysfs(monit_t) |
294 |
-dev_read_urand(monit_t) |
295 |
- |
296 |
domain_getpgid_all_domains(monit_t) |
297 |
domain_read_all_domains_state(monit_t) |
298 |
|
299 |
files_read_all_pids(monit_t) |
300 |
|
301 |
-fs_getattr_dos_fs(monit_t) |
302 |
-fs_getattr_tmpfs(monit_t) |
303 |
-fs_getattr_xattr_fs(monit_t) |
304 |
-fs_search_dos(monit_t) |
305 |
- |
306 |
-storage_getattr_fixed_disk_dev(monit_t) |
307 |
- |
308 |
-auth_use_nsswitch(monit_t) |
309 |
- |
310 |
-miscfiles_read_localization(monit_t) |
311 |
- |
312 |
-sysnet_read_config(monit_t) |
313 |
+ifdef(`hide_broken_symptoms',` |
314 |
+ # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 |
315 |
+ dontaudit monit_t self:capability dac_override; |
316 |
+') |
317 |
|
318 |
-ifdef(`init_systemd',` |
319 |
- tunable_policy(`monit_startstop_services',` |
320 |
- init_get_all_units_status(monit_t) |
321 |
- init_get_system_status(monit_t) |
322 |
- init_startstop_all_script_services(monit_t) |
323 |
- init_start_all_units(monit_t) |
324 |
- init_stop_all_units(monit_t) |
325 |
- init_stream_connect(monit_t) |
326 |
- ') |
327 |
+tunable_policy(`monit_startstop_services',` |
328 |
+ init_get_all_units_status(monit_t) |
329 |
+ init_get_system_status(monit_t) |
330 |
+ init_start_all_units(monit_t) |
331 |
+ init_stop_all_units(monit_t) |
332 |
+ init_stream_connect(monit_t) |
333 |
') |
334 |
|
335 |
optional_policy(` |
336 |
dbus_system_bus_client(monit_t) |
337 |
') |
338 |
+ |
339 |
+######################################## |
340 |
+# |
341 |
+# Client policy |
342 |
+# |
343 |
+ |
344 |
+allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms }; |
345 |
+ |
346 |
+allow monit_cli_t monit_pid_t:file rw_file_perms; |
347 |
+ |
348 |
+allow monit_cli_t monit_var_lib_t:dir search_dir_perms; |
349 |
+allow monit_cli_t monit_var_lib_t:file rw_file_perms; |
350 |
+ |
351 |
+auth_use_nsswitch(monit_cli_t) |
352 |
+ |
353 |
+corecmd_check_exec_bin_files(monit_cli_t) |
354 |
+ |
355 |
+corenet_tcp_connect_monit_port(monit_cli_t) |
356 |
+ |
357 |
+dev_read_rand(monit_cli_t) |
358 |
+ |
359 |
+domain_use_interactive_fds(monit_cli_t) |
360 |
+ |
361 |
+files_search_pids(monit_cli_t) |
362 |
+files_search_var_lib(monit_cli_t) |
363 |
+ |
364 |
+logging_search_logs(monit_cli_t) |
365 |
+ |
366 |
+userdom_dontaudit_search_user_home_dirs(monit_cli_t) |
367 |
+userdom_use_inherited_user_terminals(monit_cli_t) |