[refpolicy] [PATCH] policy for "mon" network monitoring

[refpolicy] [PATCH] policy for "mon" network monitoring

[Russell Coker]

The following patch adds policy support for "mon" AKA "trockimon".

The domain mon_t is for the main daemon that controls everything and sends
alerts.  The domain mon_test_t is for running the tests, it needs a separate
domain because it deals with data from untrusted sources (network tests).

The mon_test_t domain needs lots of access to the system and network services.
It also has sudo access for running status checks that require root access
such as getting the status of ZFS and BTRFS arrays.

We could consider setting up multiple domains for tests, for example one
domain for talking to the Internet and another for local checks.  But I
think that the current policy is good enough to be included at the moment
and we can discuss changes later.

diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc	1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.fc	2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1,9 @@
+
+/usr/sbin/mon		--	gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.*	--	gen_context(system_u:object_r:mon_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
+
+/var/run/mon(/.*)?		gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)?		gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)?		gen_context(system_u:object_r:mon_var_log_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.if	1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.if	2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.te	1970-01-01 10:00:00.000000000 +1000
+++ ./policy/modules/contrib/mon.te	2016-07-31 19:01:48.337528893 +1000
@@ -0,0 +1,134 @@
+policy_module(mon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_test_t;
+type mon_test_exec_t;
+
+domain_type(mon_test_t)
+domain_entry_file(mon_test_t, mon_test_exec_t)
+role system_r types mon_test_t;
+domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t)
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+corecmd_exec_bin(mon_t)
+dev_read_urand(mon_t)
+logging_search_logs(mon_t)
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+libs_exec_ld_so(mon_t)
+libs_exec_lib_files(mon_t)
+
+logging_send_syslog_msg(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+corecmd_exec_shell(mon_t)
+
+optional_policy(`
+	mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_test_t is for actually running the tests
+#
+
+can_exec(mon_test_t, mon_test_exec_t)
+manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t)
+allow mon_test_t self:fifo_file rw_file_perms;
+corecmd_exec_bin(mon_test_t)
+miscfiles_read_localization(mon_test_t)
+files_read_usr_files(mon_test_t)
+fs_getattr_xattr_fs(mon_test_t)
+sysnet_read_config(mon_test_t)
+auth_use_nsswitch(mon_test_t)
+dev_read_urand(mon_test_t)
+corenet_tcp_connect_all_ports(mon_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_test_t)
+kernel_dontaudit_getattr_core_if(mon_test_t)
+domain_read_all_domains_state(mon_test_t)
+corecmd_exec_shell(mon_test_t)
+kernel_getattr_proc(mon_test_t)
+kernel_read_system_state(mon_test_t)
+kernel_read_software_raid_state(mon_test_t)
+netutils_domtrans_ping(mon_test_t)
+fs_search_nfs(mon_test_t)
+fs_getattr_nfs(mon_test_t)
+
+
+optional_policy(`
+	bind_read_zone(mon_test_t)
+')
+
+optional_policy(`
+	sudo_role_template(system, system_r, mon_test_t)
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
--- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in	2016-07-28 20:33:39.959961616 +1000
+++ ./policy/modules/kernel/corenetwork.te.in	2016-07-31 19:01:48.341529000 +1000
@@ -176,6 +176,7 @@
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(milter) # no defined portcon
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mountd, tcp,20048,s0, udp,20048,s0)
 network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)

[refpolicy] [PATCH] policy for "mon" network monitoring

[Chris PeBenito]

On 07/31/16 05:10, Russell Coker wrote:
> The following patch adds policy support for "mon" AKA "trockimon".
>
> The domain mon_t is for the main daemon that controls everything and sends
> alerts.  The domain mon_test_t is for running the tests, it needs a separate
> domain because it deals with data from untrusted sources (network tests).
>
> The mon_test_t domain needs lots of access to the system and network services.
> It also has sudo access for running status checks that require root access
> such as getting the status of ZFS and BTRFS arrays.
>
> We could consider setting up multiple domains for tests, for example one
> domain for talking to the Internet and another for local checks.  But I

That would be a good thing to move towards as the network access on top 
of sudo doesn't inspire me with much confidence.

> think that the current policy is good enough to be included at the moment
> and we can discuss changes later.

The mon_test_t rules need some style cleanup, then I think we can look 
at merging it with its current domain set.


> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.fc	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,9 @@
> +
> +/usr/sbin/mon		--	gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.*	--	gen_context(system_u:object_r:mon_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
> +
> +/var/run/mon(/.*)?		gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)?		gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)?		gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.if	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.te	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,134 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_test_t;
> +type mon_test_exec_t;
> +
> +domain_type(mon_test_t)
> +domain_entry_file(mon_test_t, mon_test_exec_t)
> +role system_r types mon_test_t;
> +domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> +	mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_test_t is for actually running the tests
> +#
> +
> +can_exec(mon_test_t, mon_test_exec_t)
> +manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t)
> +allow mon_test_t self:fifo_file rw_file_perms;
> +corecmd_exec_bin(mon_test_t)
> +miscfiles_read_localization(mon_test_t)
> +files_read_usr_files(mon_test_t)
> +fs_getattr_xattr_fs(mon_test_t)
> +sysnet_read_config(mon_test_t)
> +auth_use_nsswitch(mon_test_t)
> +dev_read_urand(mon_test_t)
> +corenet_tcp_connect_all_ports(mon_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_test_t)
> +kernel_dontaudit_getattr_core_if(mon_test_t)
> +domain_read_all_domains_state(mon_test_t)
> +corecmd_exec_shell(mon_test_t)
> +kernel_getattr_proc(mon_test_t)
> +kernel_read_system_state(mon_test_t)
> +kernel_read_software_raid_state(mon_test_t)
> +netutils_domtrans_ping(mon_test_t)
> +fs_search_nfs(mon_test_t)
> +fs_getattr_nfs(mon_test_t)
> +
> +
> +optional_policy(`
> +	bind_read_zone(mon_test_t)
> +')
> +
> +optional_policy(`
> +	sudo_role_template(system, system_r, mon_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in	2016-07-28 20:33:39.959961616 +1000
> +++ ./policy/modules/kernel/corenetwork.te.in	2016-07-31 19:01:48.341529000 +1000
> @@ -176,6 +176,7 @@
>  network_port(memcache, tcp,11211,s0, udp,11211,s0)
>  network_port(milter) # no defined portcon
>  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
>  network_port(monopd, tcp,1234,s0)
>  network_port(mountd, tcp,20048,s0, udp,20048,s0)
>  network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH] policy for "mon" network monitoring

[Russell Coker]

On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
> > We could consider setting up multiple domains for tests, for example one
> > domain for talking to the Internet and another for local checks.  But I
> 
> That would be a good thing to move towards as the network access on top 
> of sudo doesn't inspire me with much confidence.

Well it's not nearly as bad as the daemons that have net access and 
capabilities like setuid.

> > think that the current policy is good enough to be included at the moment
> > and we can discuss changes later.
> 
> The mon_test_t rules need some style cleanup, then I think we can look 
> at merging it with its current domain set.

What type of style issues?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] policy for "mon" network monitoring

[Jason Zaman]

On Wed, Aug 03, 2016 at 12:31:26PM +1000, Russell Coker wrote:
> On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
> > > We could consider setting up multiple domains for tests, for example one
> > > domain for talking to the Internet and another for local checks.  But I
> > 
> > That would be a good thing to move towards as the network access on top 
> > of sudo doesn't inspire me with much confidence.

Not really useful right now, but ZFS has merged in the "zfs allow" stuff
so hopefully in the near future root will not be required for doing some
ZFS operations.
> 
> Well it's not nearly as bad as the daemons that have net access and 
> capabilities like setuid.
> 
> > > think that the current policy is good enough to be included at the moment
> > > and we can discuss changes later.
> > 
> > The mon_test_t rules need some style cleanup, then I think we can look 
> > at merging it with its current domain set.
> 
> What type of style issues?

SwifT actually has a script to spit out some issues:
https://github.com/sjvermeu/small.coding/blob/master/se_scripts/severifystyle
It's pretty good at finding the less obvious things. Is this something
we should perhaps get pushed up into refpol/support/?

Also, if there are things that the script reports incorrectly, I'd like
to know so it can be fixed.
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH] policy for "mon" network monitoring

[Chris PeBenito]

On 08/02/16 22:31, Russell Coker wrote:
> On Wed, 3 Aug 2016 10:25:57 AM Chris PeBenito wrote:
>>> We could consider setting up multiple domains for tests, for example one
>>> domain for talking to the Internet and another for local checks.  But I
>>
>> That would be a good thing to move towards as the network access on top
>> of sudo doesn't inspire me with much confidence.
>
> Well it's not nearly as bad as the daemons that have net access and
> capabilities like setuid.
>
>>> think that the current policy is good enough to be included at the moment
>>> and we can discuss changes later.
>>
>> The mon_test_t rules need some style cleanup, then I think we can look
>> at merging it with its current domain set.
>
> What type of style issues?

Minor.  Primarily the mon_test_t rules are one big block that needs to 
be broken up, grouped, and sorted in a similar way to the mon_t ones.

-- 
Chris PeBenito