commit: 43da5040356ecd17cf2ca9c31ef4a6ea5141639b
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Dec 29 20:20:06 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:26:14 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=43da5040
monit: update
- usage of socket interface (/run/monit.socket as monit_runtime_t)
- allow simple checks (entropy, systemctl is-system-running, getenforce)
policy/modules/contrib/monit.fc | 3 ++-
policy/modules/contrib/monit.if | 4 ++--
policy/modules/contrib/monit.te | 40 ++++++++++++++++++++++++++++------------
3 files changed, 32 insertions(+), 15 deletions(-)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
index 273aad3e..1cd0238e 100644
--- a/policy/modules/contrib/monit.fc
+++ b/policy/modules/contrib/monit.fc
@@ -2,7 +2,8 @@
/etc/monit(/.*)?
gen_context(system_u:object_r:monit_conf_t,s0)
-/run/monit\.pid --
gen_context(system_u:object_r:monit_pid_t,s0)
+/run/monit\.pid --
gen_context(system_u:object_r:monit_runtime_t,s0)
+/run/monit\.socket -s
gen_context(system_u:object_r:monit_runtime_t,s0)
/usr/bin/monit --
gen_context(system_u:object_r:monit_exec_t,s0)
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
index d249dfbd..832cdca8 100644
--- a/policy/modules/contrib/monit.if
+++ b/policy/modules/contrib/monit.if
@@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
interface(`monit_admin',`
gen_require(`
type monit_t, monit_conf_t, monit_initrc_exec_t;
- type monit_log_t, monit_pid_t;
+ type monit_log_t, monit_runtime_t;
type monit_unit_t, monit_var_lib_t;
')
@@ -117,7 +117,7 @@ interface(`monit_admin',`
admin_pattern($1, monit_log_t)
files_search_pids($1)
- admin_pattern($1, monit_pid_t)
+ admin_pattern($1, monit_runtime_t)
files_search_var_lib($1)
admin_pattern($1, monit_var_lib_t)
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
index 9b7a605b..e9c940a1 100644
--- a/policy/modules/contrib/monit.te
+++ b/policy/modules/contrib/monit.te
@@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
type monit_log_t;
logging_log_file(monit_log_t)
-type monit_pid_t alias monit_run_t;
-files_pid_file(monit_pid_t)
+type monit_runtime_t alias monit_pid_t;
+files_pid_file(monit_runtime_t)
type monit_unit_t;
init_unit_file(monit_unit_t)
@@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
dev_read_sysfs(monit_domain)
dev_read_urand(monit_domain)
+files_getattr_all_mountpoints(monit_domain)
+
fs_getattr_dos_fs(monit_domain)
fs_getattr_dos_dirs(monit_domain)
fs_getattr_tmpfs(monit_domain)
fs_getattr_xattr_fs(monit_domain)
+miscfiles_read_generic_certs(monit_domain)
miscfiles_read_localization(monit_domain)
+logging_send_syslog_msg(monit_domain)
+
# disk usage of sd card
storage_getattr_removable_dev(monit_domain)
+storage_getattr_fixed_disk_dev(monit_domain)
########################################
#
@@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
allow monit_t self:fifo_file rw_fifo_file_perms;
allow monit_t self:rawip_socket connected_socket_perms;
allow monit_t self:tcp_socket server_stream_socket_perms;
-allow monit_t self:unix_dgram_socket { connect create };
allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
logging_log_filetrans(monit_t, monit_log_t, file)
-allow monit_t monit_pid_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_pid_t, file)
+allow monit_t monit_runtime_t:file manage_file_perms;
+allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
allow monit_t monit_var_lib_t:dir manage_dir_perms;
allow monit_t monit_var_lib_t:file manage_file_perms;
+# entropy
+kernel_read_kernel_sysctls(monit_t)
+kernel_read_vm_overcommit_sysctl(monit_t)
+
auth_use_nsswitch(monit_t)
corecmd_exec_bin(monit_t)
+corecmd_exec_shell(monit_t)
corenet_tcp_bind_generic_node(monit_t)
corenet_tcp_bind_monit_port(monit_t)
corenet_tcp_connect_all_ports(monit_t)
+domain_getattr_all_domains(monit_t)
domain_getpgid_all_domains(monit_t)
domain_read_all_domains_state(monit_t)
files_read_all_pids(monit_t)
-logging_send_syslog_msg(monit_t)
+selinux_get_enforce_mode(monit_t)
-ifdef(`hide_broken_symptoms',`
- # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
- dontaudit monit_t self:capability dac_override;
+userdom_dontaudit_search_user_home_dirs(monit_t)
+
+ifdef(`init_systemd',`
+ # systemctl is-system-running
+ init_stream_connect(monit_t)
+ init_get_system_status(monit_t)
')
tunable_policy(`monit_startstop_services',`
init_get_all_units_status(monit_t)
- init_get_system_status(monit_t)
init_start_all_units(monit_t)
init_stop_all_units(monit_t)
- init_stream_connect(monit_t)
')
optional_policy(`
@@ -136,9 +149,12 @@ optional_policy(`
# Client policy
#
+allow monit_cli_t monit_t:unix_stream_socket connectto;
+
allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
-allow monit_cli_t monit_pid_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:sock_file write;
allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
allow monit_cli_t monit_var_lib_t:file rw_file_perms;
