[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 30 Mar 2017 17:07:00
Message-Id:	`1490882318.b6371921229cf02860e383fe970d331ebcaad159.perfinion@gentoo`

1

commit:     b6371921229cf02860e383fe970d331ebcaad159

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Wed Mar  8 20:27:57 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar 30 13:58:38 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921

7

8

monit: update

9

10

add monit cli policy and several interfaces

11

12

 policy/modules/contrib/monit.fc |   6 +-

13

 policy/modules/contrib/monit.if | 127 ++++++++++++++++++++++++++++++++++++-

14

 policy/modules/contrib/monit.te | 134 ++++++++++++++++++++++++++--------------

15

 3 files changed, 217 insertions(+), 50 deletions(-)

16

17

diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc

18

index d47fa153..273aad3e 100644

19

--- a/policy/modules/contrib/monit.fc

20

+++ b/policy/modules/contrib/monit.fc

21

@@ -1,7 +1,8 @@

22

 /etc/rc\.d/init\.d/monit	--	gen_context(system_u:object_r:monit_initrc_exec_t,s9)

23

-/etc/monit(/.*)?			gen_context(system_u:object_r:monit_etc_t,s0)

24

25

-/run/monit\.pid			--	gen_context(system_u:object_r:monit_run_t,s0)

26

+/etc/monit(/.*)?			gen_context(system_u:object_r:monit_conf_t,s0)

27

+

28

+/run/monit\.pid			--	gen_context(system_u:object_r:monit_pid_t,s0)

29

30

 /usr/bin/monit			--	gen_context(system_u:object_r:monit_exec_t,s0)

31

32

@@ -10,4 +11,3 @@

33

 /var/lib/monit(/.*)?			gen_context(system_u:object_r:monit_var_lib_t,s0)

34

35

 /var/log/monit\.log.*		--	gen_context(system_u:object_r:monit_log_t,s0)

36

-

37

38

diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if

39

index d387f435..6107ef9d 100644

40

--- a/policy/modules/contrib/monit.if

41

+++ b/policy/modules/contrib/monit.if

42

@@ -1 +1,126 @@

43

-## <summary>Monit system monitoring daemon</summary>

44

+## <summary>Monit - utility for monitoring services on a Unix system.</summary>

45

+

46

+########################################

47

+## <summary>

48

+##	Execute a domain transition to run monit cli.

49

+## </summary>

50

+## <param name="domain">

51

+##	<summary>

52

+##	Domain allowed to transition.

53

+##	</summary>

54

+## </param>

55

+#

56

+interface(`monit_domtrans_cli',`

57

+	gen_require(`

58

+		type monit_cli_t, monit_exec_t;

59

+	')

60

+

61

+	corecmd_search_bin($1)

62

+	domtrans_pattern($1, monit_exec_t, monit_cli_t)

63

+')

64

+

65

+########################################

66

+## <summary>

67

+##	Execute monit in the monit cli domain,

68

+##	and allow the specified role

69

+##	the monit cli domain.

70

+## </summary>

71

+## <param name="domain">

72

+##	<summary>

73

+##	Domain allowed to transition.

74

+##	</summary>

75

+## </param>

76

+## <param name="role">

77

+##	<summary>

78

+##	Role allowed access.

79

+##	</summary>

80

+## </param>

81

+#

82

+interface(`monit_run_cli',`

83

+	gen_require(`

84

+		attribute_role monit_cli_roles;

85

+	')

86

+

87

+	monit_domtrans_cli($1)

88

+	roleattribute $2 monit_cli_roles;

89

+')

90

+

91

+########################################

92

+## <summary>

93

+##	Reload the monit daemon.

94

+## </summary>

95

+## <param name="domain">

96

+##	<summary>

97

+##	Domain allowed access.

98

+##	</summary>

99

+## </param>

100

+#

101

+interface(`monit_reload',`

102

+	gen_require(`

103

+		class service { reload status };

104

+		type monit_initrc_exec_t;

105

+	')

106

+

107

+	allow $1 monit_initrc_exec_t:service { reload status };

108

+')

109

+

110

+########################################

111

+## <summary>

112

+##	Start and stop the monit daemon.

113

+## </summary>

114

+## <param name="domain">

115

+##	<summary>

116

+##	Domain allowed access.

117

+##	</summary>

118

+## </param>

119

+#

120

+interface(`monit_startstop_service',`

121

+	gen_require(`

122

+		class service { start status stop };

123

+		type monit_initrc_exec_t;

124

+	')

125

+

126

+	allow $1 monit_initrc_exec_t:service { start status stop };

127

+')

128

+

129

+########################################

130

+## <summary>

131

+##	All of the rules required to

132

+##	administrate an monit environment.

133

+## </summary>

134

+## <param name="domain">

135

+##      <summary>

136

+##      Domain allowed access.

137

+##      </summary>

138

+## </param>

139

+## <param name="role">

140

+##      <summary>

141

+##      Role allowed access.

142

+##      </summary>

143

+## </param>

144

+#

145

+interface(`monit_admin',`

146

+	gen_require(`

147

+		type monit_t, monit_conf_t, monit_initrc_exec_t;

148

+		type monit_log_t, monit_pid_t;

149

+		type monit_unit_t, monit_var_lib_t;

150

+	')

151

+

152

+	admin_process_pattern($1, monit_t)

153

+

154

+	init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t)

155

+

156

+	files_search_etc($1)

157

+	admin_pattern($1, monit_conf_t)

158

+

159

+	logging_search_logs($1)

160

+	admin_pattern($1, monit_log_t)

161

+

162

+	files_search_pids($1)

163

+	admin_pattern($1, monit_pid_t)

164

+

165

+	files_search_var_lib($1)

166

+	admin_pattern($1, monit_var_lib_t)

167

+

168

+	monit_run_cli($1, $2)

169

+')

170

171

diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te

172

index 14aeddcd..470c44f4 100644

173

--- a/policy/modules/contrib/monit.te

174

+++ b/policy/modules/contrib/monit.te

175

@@ -12,24 +12,29 @@ policy_module(monit, 1.0.1)

176

 ## </desc>

177

 gen_tunable(monit_startstop_services, false)

178

179

-attribute_role monit_interactive_roles;

180

+attribute_role monit_cli_roles;

181

182

-type monit_t;

183

+attribute monit_domain;

184

+

185

+type monit_t, monit_domain;

186

 type monit_exec_t;

187

 init_daemon_domain(monit_t, monit_exec_t)

188

189

-type monit_etc_t;

190

-files_config_file(monit_etc_t)

191

-files_security_file(monit_etc_t) # may contain password for monit webinterface

192

+type monit_conf_t alias monit_etc_t;

193

+files_security_file(monit_conf_t) # may contain password for monit webinterface

194

195

 type monit_initrc_exec_t;

196

 init_script_file(monit_initrc_exec_t)

197

198

+type monit_cli_t, monit_domain;

199

+application_domain(monit_cli_t, monit_exec_t)

200

+role monit_cli_roles types monit_cli_t;

201

+

202

 type monit_log_t;

203

 logging_log_file(monit_log_t)

204

205

-type monit_run_t;

206

-files_pid_file(monit_run_t)

207

+type monit_pid_t alias monit_run_t;

208

+files_pid_file(monit_pid_t)

209

210

 type monit_unit_t;

211

 init_unit_file(monit_unit_t)

212

@@ -39,6 +44,37 @@ files_type(monit_var_lib_t)

213

214

 ########################################

215

#

216

+# Common monit domain policy

217

+#

218

+

219

+allow monit_domain self:unix_stream_socket create_stream_socket_perms;

220

+allow monit_domain monit_t:process { getpgid sigkill signal };

221

+

222

+allow monit_domain monit_conf_t:dir list_dir_perms;

223

+allow monit_domain monit_conf_t:file read_file_perms;

224

+allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms;

225

+

226

+kernel_read_system_state(monit_domain)

227

+

228

+# can not use with attributes

229

+#auth_use_nsswitch(monit_domain)

230

+

231

+# read /sys/class/net/eth0 /sys/devices/system/cpu

232

+dev_read_sysfs(monit_domain)

233

+dev_read_urand(monit_domain)

234

+

235

+fs_getattr_dos_fs(monit_domain)

236

+fs_getattr_dos_dirs(monit_domain)

237

+fs_getattr_tmpfs(monit_domain)

238

+fs_getattr_xattr_fs(monit_domain)

239

+

240

+miscfiles_read_localization(monit_domain)

241

+

242

+# disk usage of sd card

243

+storage_getattr_removable_dev(monit_domain)

244

+

245

+########################################

246

+#

247

 # Daemon policy

248

#

249

250

@@ -46,72 +82,78 @@ files_type(monit_var_lib_t)

251

 # net_raw         : create raw sockets

252

 # sys_ptrace      : trace processes

253

 allow monit_t self:capability { dac_read_search net_raw sys_ptrace };

254

-# kernel bug

255

-dontaudit monit_t self:capability dac_override;

256

 # setsockopt

257

 dontaudit monit_t self:capability net_admin;

258

259

-allow monit_t self:process { getpgid sigkill signal };

260

 allow monit_t self:fifo_file rw_fifo_file_perms;

261

-allow monit_t self:netlink_route_socket r_netlink_socket_perms;

262

 allow monit_t self:rawip_socket connected_socket_perms;

263

-allow monit_t self:sem rw_sem_perms;

264

-allow monit_t self:tcp_socket create_stream_socket_perms;

265

-allow monit_t self:udp_socket create_socket_perms;

266

-allow monit_t self:unix_stream_socket create_stream_socket_perms;

267

-

268

-allow monit_t monit_etc_t:dir list_dir_perms;

269

-allow monit_t monit_etc_t:file read_file_perms;

270

-allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;

271

+allow monit_t self:tcp_socket server_stream_socket_perms;

272

273

 allow monit_t monit_log_t:file { create read_file_perms append_file_perms };

274

 logging_log_filetrans(monit_t, monit_log_t, file)

275

276

-allow monit_t monit_run_t:file manage_file_perms;

277

-files_pid_filetrans(monit_t, monit_run_t, file)

278

+allow monit_t monit_pid_t:file manage_file_perms;

279

+files_pid_filetrans(monit_t, monit_pid_t, file)

280

281

 allow monit_t monit_var_lib_t:dir manage_dir_perms;

282

 allow monit_t monit_var_lib_t:file manage_file_perms;

283

284

-kernel_read_system_state(monit_t)

285

+auth_use_nsswitch(monit_t)

286

287

 corecmd_exec_bin(monit_t)

288

+

289

 corenet_tcp_bind_generic_node(monit_t)

290

 corenet_tcp_bind_monit_port(monit_t)

291

 corenet_tcp_connect_all_ports(monit_t)

292

293

-dev_read_sysfs(monit_t)

294

-dev_read_urand(monit_t)

295

-

296

 domain_getpgid_all_domains(monit_t)

297

 domain_read_all_domains_state(monit_t)

298

299

 files_read_all_pids(monit_t)

300

301

-fs_getattr_dos_fs(monit_t)

302

-fs_getattr_tmpfs(monit_t)

303

-fs_getattr_xattr_fs(monit_t)

304

-fs_search_dos(monit_t)

305

-

306

-storage_getattr_fixed_disk_dev(monit_t)

307

-

308

-auth_use_nsswitch(monit_t)

309

-

310

-miscfiles_read_localization(monit_t)

311

-

312

-sysnet_read_config(monit_t)

313

+ifdef(`hide_broken_symptoms',`

314

+	# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6

315

+	dontaudit monit_t self:capability dac_override;

316

+')

317

318

-ifdef(`init_systemd',`

319

-	tunable_policy(`monit_startstop_services',`

320

-		init_get_all_units_status(monit_t)

321

-		init_get_system_status(monit_t)

322

-		init_startstop_all_script_services(monit_t)

323

-		init_start_all_units(monit_t)

324

-		init_stop_all_units(monit_t)

325

-		init_stream_connect(monit_t)

326

-	')

327

+tunable_policy(`monit_startstop_services',`

328

+	init_get_all_units_status(monit_t)

329

+	init_get_system_status(monit_t)

330

+	init_start_all_units(monit_t)

331

+	init_stop_all_units(monit_t)

332

+	init_stream_connect(monit_t)

333

')

334

335

 optional_policy(`

336

 	dbus_system_bus_client(monit_t)

337

')

338

+

339

+########################################

340

+#

341

+# Client policy

342

+#

343

+

344

+allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };

345

+

346

+allow monit_cli_t monit_pid_t:file rw_file_perms;

347

+

348

+allow monit_cli_t monit_var_lib_t:dir search_dir_perms;

349

+allow monit_cli_t monit_var_lib_t:file rw_file_perms;

350

+

351

+auth_use_nsswitch(monit_cli_t)

352

+

353

+corecmd_check_exec_bin_files(monit_cli_t)

354

+

355

+corenet_tcp_connect_monit_port(monit_cli_t)

356

+

357

+dev_read_rand(monit_cli_t)

358

+

359

+domain_use_interactive_fds(monit_cli_t)

360

+

361

+files_search_pids(monit_cli_t)

362

+files_search_var_lib(monit_cli_t)

363

+

364

+logging_search_logs(monit_cli_t)

365

+

366

+userdom_dontaudit_search_user_home_dirs(monit_cli_t)

367

+userdom_use_inherited_user_terminals(monit_cli_t)

1	commit: b6371921229cf02860e383fe970d331ebcaad159
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Wed Mar 8 20:27:57 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 30 13:58:38 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6371921
7
8	monit: update
9
10	add monit cli policy and several interfaces
11
12	policy/modules/contrib/monit.fc \| 6 +-
13	policy/modules/contrib/monit.if \| 127 ++++++++++++++++++++++++++++++++++++-
14	policy/modules/contrib/monit.te \| 134 ++++++++++++++++++++++++++--------------
15	3 files changed, 217 insertions(+), 50 deletions(-)
16
17	diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
18	index d47fa153..273aad3e 100644
19	--- a/policy/modules/contrib/monit.fc
20	+++ b/policy/modules/contrib/monit.fc
21	@@ -1,7 +1,8 @@
22	/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9)
23	-/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0)
24
25	-/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0)
26	+/etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0)
27	+
28	+/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0)
29
30	/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0)
31
32	@@ -10,4 +11,3 @@
33	/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0)
34
35	/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0)
36	-
37
38	diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
39	index d387f435..6107ef9d 100644
40	--- a/policy/modules/contrib/monit.if
41	+++ b/policy/modules/contrib/monit.if
42	@@ -1 +1,126 @@
43	-## <summary>Monit system monitoring daemon</summary>
44	+## <summary>Monit - utility for monitoring services on a Unix system.</summary>
45	+
46	+########################################
47	+## <summary>
48	+## Execute a domain transition to run monit cli.
49	+## </summary>
50	+## <param name="domain">
51	+## <summary>
52	+## Domain allowed to transition.
53	+## </summary>
54	+## </param>
55	+#
56	+interface(`monit_domtrans_cli',`
57	+ gen_require(`
58	+ type monit_cli_t, monit_exec_t;
59	+ ')
60	+
61	+ corecmd_search_bin($1)
62	+ domtrans_pattern($1, monit_exec_t, monit_cli_t)
63	+')
64	+
65	+########################################
66	+## <summary>
67	+## Execute monit in the monit cli domain,
68	+## and allow the specified role
69	+## the monit cli domain.
70	+## </summary>
71	+## <param name="domain">
72	+## <summary>
73	+## Domain allowed to transition.
74	+## </summary>
75	+## </param>
76	+## <param name="role">
77	+## <summary>
78	+## Role allowed access.
79	+## </summary>
80	+## </param>
81	+#
82	+interface(`monit_run_cli',`
83	+ gen_require(`
84	+ attribute_role monit_cli_roles;
85	+ ')
86	+
87	+ monit_domtrans_cli($1)
88	+ roleattribute $2 monit_cli_roles;
89	+')
90	+
91	+########################################
92	+## <summary>
93	+## Reload the monit daemon.
94	+## </summary>
95	+## <param name="domain">
96	+## <summary>
97	+## Domain allowed access.
98	+## </summary>
99	+## </param>
100	+#
101	+interface(`monit_reload',`
102	+ gen_require(`
103	+ class service { reload status };
104	+ type monit_initrc_exec_t;
105	+ ')
106	+
107	+ allow $1 monit_initrc_exec_t:service { reload status };
108	+')
109	+
110	+########################################
111	+## <summary>
112	+## Start and stop the monit daemon.
113	+## </summary>
114	+## <param name="domain">
115	+## <summary>
116	+## Domain allowed access.
117	+## </summary>
118	+## </param>
119	+#
120	+interface(`monit_startstop_service',`
121	+ gen_require(`
122	+ class service { start status stop };
123	+ type monit_initrc_exec_t;
124	+ ')
125	+
126	+ allow $1 monit_initrc_exec_t:service { start status stop };
127	+')
128	+
129	+########################################
130	+## <summary>
131	+## All of the rules required to
132	+## administrate an monit environment.
133	+## </summary>
134	+## <param name="domain">
135	+## <summary>
136	+## Domain allowed access.
137	+## </summary>
138	+## </param>
139	+## <param name="role">
140	+## <summary>
141	+## Role allowed access.
142	+## </summary>
143	+## </param>
144	+#
145	+interface(`monit_admin',`
146	+ gen_require(`
147	+ type monit_t, monit_conf_t, monit_initrc_exec_t;
148	+ type monit_log_t, monit_pid_t;
149	+ type monit_unit_t, monit_var_lib_t;
150	+ ')
151	+
152	+ admin_process_pattern($1, monit_t)
153	+
154	+ init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t)
155	+
156	+ files_search_etc($1)
157	+ admin_pattern($1, monit_conf_t)
158	+
159	+ logging_search_logs($1)
160	+ admin_pattern($1, monit_log_t)
161	+
162	+ files_search_pids($1)
163	+ admin_pattern($1, monit_pid_t)
164	+
165	+ files_search_var_lib($1)
166	+ admin_pattern($1, monit_var_lib_t)
167	+
168	+ monit_run_cli($1, $2)
169	+')
170
171	diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
172	index 14aeddcd..470c44f4 100644
173	--- a/policy/modules/contrib/monit.te
174	+++ b/policy/modules/contrib/monit.te
175	@@ -12,24 +12,29 @@ policy_module(monit, 1.0.1)
176	## </desc>
177	gen_tunable(monit_startstop_services, false)
178
179	-attribute_role monit_interactive_roles;
180	+attribute_role monit_cli_roles;
181
182	-type monit_t;
183	+attribute monit_domain;
184	+
185	+type monit_t, monit_domain;
186	type monit_exec_t;
187	init_daemon_domain(monit_t, monit_exec_t)
188
189	-type monit_etc_t;
190	-files_config_file(monit_etc_t)
191	-files_security_file(monit_etc_t) # may contain password for monit webinterface
192	+type monit_conf_t alias monit_etc_t;
193	+files_security_file(monit_conf_t) # may contain password for monit webinterface
194
195	type monit_initrc_exec_t;
196	init_script_file(monit_initrc_exec_t)
197
198	+type monit_cli_t, monit_domain;
199	+application_domain(monit_cli_t, monit_exec_t)
200	+role monit_cli_roles types monit_cli_t;
201	+
202	type monit_log_t;
203	logging_log_file(monit_log_t)
204
205	-type monit_run_t;
206	-files_pid_file(monit_run_t)
207	+type monit_pid_t alias monit_run_t;
208	+files_pid_file(monit_pid_t)
209
210	type monit_unit_t;
211	init_unit_file(monit_unit_t)
212	@@ -39,6 +44,37 @@ files_type(monit_var_lib_t)
213
214	########################################
215	#
216	+# Common monit domain policy
217	+#
218	+
219	+allow monit_domain self:unix_stream_socket create_stream_socket_perms;
220	+allow monit_domain monit_t:process { getpgid sigkill signal };
221	+
222	+allow monit_domain monit_conf_t:dir list_dir_perms;
223	+allow monit_domain monit_conf_t:file read_file_perms;
224	+allow monit_domain monit_conf_t:lnk_file read_lnk_file_perms;
225	+
226	+kernel_read_system_state(monit_domain)
227	+
228	+# can not use with attributes
229	+#auth_use_nsswitch(monit_domain)
230	+
231	+# read /sys/class/net/eth0 /sys/devices/system/cpu
232	+dev_read_sysfs(monit_domain)
233	+dev_read_urand(monit_domain)
234	+
235	+fs_getattr_dos_fs(monit_domain)
236	+fs_getattr_dos_dirs(monit_domain)
237	+fs_getattr_tmpfs(monit_domain)
238	+fs_getattr_xattr_fs(monit_domain)
239	+
240	+miscfiles_read_localization(monit_domain)
241	+
242	+# disk usage of sd card
243	+storage_getattr_removable_dev(monit_domain)
244	+
245	+########################################
246	+#
247	# Daemon policy
248	#
249
250	@@ -46,72 +82,78 @@ files_type(monit_var_lib_t)
251	# net_raw : create raw sockets
252	# sys_ptrace : trace processes
253	allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
254	-# kernel bug
255	-dontaudit monit_t self:capability dac_override;
256	# setsockopt
257	dontaudit monit_t self:capability net_admin;
258
259	-allow monit_t self:process { getpgid sigkill signal };
260	allow monit_t self:fifo_file rw_fifo_file_perms;
261	-allow monit_t self:netlink_route_socket r_netlink_socket_perms;
262	allow monit_t self:rawip_socket connected_socket_perms;
263	-allow monit_t self:sem rw_sem_perms;
264	-allow monit_t self:tcp_socket create_stream_socket_perms;
265	-allow monit_t self:udp_socket create_socket_perms;
266	-allow monit_t self:unix_stream_socket create_stream_socket_perms;
267	-
268	-allow monit_t monit_etc_t:dir list_dir_perms;
269	-allow monit_t monit_etc_t:file read_file_perms;
270	-allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
271	+allow monit_t self:tcp_socket server_stream_socket_perms;
272
273	allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
274	logging_log_filetrans(monit_t, monit_log_t, file)
275
276	-allow monit_t monit_run_t:file manage_file_perms;
277	-files_pid_filetrans(monit_t, monit_run_t, file)
278	+allow monit_t monit_pid_t:file manage_file_perms;
279	+files_pid_filetrans(monit_t, monit_pid_t, file)
280
281	allow monit_t monit_var_lib_t:dir manage_dir_perms;
282	allow monit_t monit_var_lib_t:file manage_file_perms;
283
284	-kernel_read_system_state(monit_t)
285	+auth_use_nsswitch(monit_t)
286
287	corecmd_exec_bin(monit_t)
288	+
289	corenet_tcp_bind_generic_node(monit_t)
290	corenet_tcp_bind_monit_port(monit_t)
291	corenet_tcp_connect_all_ports(monit_t)
292
293	-dev_read_sysfs(monit_t)
294	-dev_read_urand(monit_t)
295	-
296	domain_getpgid_all_domains(monit_t)
297	domain_read_all_domains_state(monit_t)
298
299	files_read_all_pids(monit_t)
300
301	-fs_getattr_dos_fs(monit_t)
302	-fs_getattr_tmpfs(monit_t)
303	-fs_getattr_xattr_fs(monit_t)
304	-fs_search_dos(monit_t)
305	-
306	-storage_getattr_fixed_disk_dev(monit_t)
307	-
308	-auth_use_nsswitch(monit_t)
309	-
310	-miscfiles_read_localization(monit_t)
311	-
312	-sysnet_read_config(monit_t)
313	+ifdef(`hide_broken_symptoms',`
314	+ # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
315	+ dontaudit monit_t self:capability dac_override;
316	+')
317
318	-ifdef(`init_systemd',`
319	- tunable_policy(`monit_startstop_services',`
320	- init_get_all_units_status(monit_t)
321	- init_get_system_status(monit_t)
322	- init_startstop_all_script_services(monit_t)
323	- init_start_all_units(monit_t)
324	- init_stop_all_units(monit_t)
325	- init_stream_connect(monit_t)
326	- ')
327	+tunable_policy(`monit_startstop_services',`
328	+ init_get_all_units_status(monit_t)
329	+ init_get_system_status(monit_t)
330	+ init_start_all_units(monit_t)
331	+ init_stop_all_units(monit_t)
332	+ init_stream_connect(monit_t)
333	')
334
335	optional_policy(`
336	dbus_system_bus_client(monit_t)
337	')
338	+
339	+########################################
340	+#
341	+# Client policy
342	+#
343	+
344	+allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
345	+
346	+allow monit_cli_t monit_pid_t:file rw_file_perms;
347	+
348	+allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
349	+allow monit_cli_t monit_var_lib_t:file rw_file_perms;
350	+
351	+auth_use_nsswitch(monit_cli_t)
352	+
353	+corecmd_check_exec_bin_files(monit_cli_t)
354	+
355	+corenet_tcp_connect_monit_port(monit_cli_t)
356	+
357	+dev_read_rand(monit_cli_t)
358	+
359	+domain_use_interactive_fds(monit_cli_t)
360	+
361	+files_search_pids(monit_cli_t)
362	+files_search_var_lib(monit_cli_t)
363	+
364	+logging_search_logs(monit_cli_t)
365	+
366	+userdom_dontaudit_search_user_home_dirs(monit_cli_t)
367	+userdom_use_inherited_user_terminals(monit_cli_t)

Gentoo Archives: gentoo-commits