[refpolicy] [PATCH] policy for "mon" network monitoring

From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] policy for "mon" network monitoring
Date: Tue, 2 Aug 2016 20:25:57 -0400	[thread overview]
Message-ID: <246b3e68-c54f-0454-97f1-8d8684f13d0c@ieee.org> (raw)
In-Reply-To: <20160731090959.fihe7ytiorwwfjno@athena.coker.com.au>

On 07/31/16 05:10, Russell Coker wrote:
> The following patch adds policy support for "mon" AKA "trockimon".
>
> The domain mon_t is for the main daemon that controls everything and sends
> alerts.  The domain mon_test_t is for running the tests, it needs a separate
> domain because it deals with data from untrusted sources (network tests).
>
> The mon_test_t domain needs lots of access to the system and network services.
> It also has sudo access for running status checks that require root access
> such as getting the status of ZFS and BTRFS arrays.
>
> We could consider setting up multiple domains for tests, for example one
> domain for talking to the Internet and another for local checks.  But I

That would be a good thing to move towards as the network access on top 
of sudo doesn't inspire me with much confidence.

> think that the current policy is good enough to be included at the moment
> and we can discuss changes later.

The mon_test_t rules need some style cleanup, then I think we can look 
at merging it with its current domain set.

> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc ./policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.fc	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,9 @@
> +
> +/usr/sbin/mon		--	gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.*	--	gen_context(system_u:object_r:mon_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_test_exec_t,s0)
> +
> +/var/run/mon(/.*)?		gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)?		gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)?		gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if ./policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.if	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te ./policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te	1970-01-01 10:00:00.000000000 +1000
> +++ ./policy/modules/contrib/mon.te	2016-07-31 19:01:48.337528893 +1000
> @@ -0,0 +1,134 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_test_t;
> +type mon_test_exec_t;
> +
> +domain_type(mon_test_t)
> +domain_entry_file(mon_test_t, mon_test_exec_t)
> +role system_r types mon_test_t;
> +domtrans_pattern(mon_t, mon_test_exec_t, mon_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> +	mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_test_t is for actually running the tests
> +#
> +
> +can_exec(mon_test_t, mon_test_exec_t)
> +manage_files_pattern(mon_test_t, mon_var_lib_t, mon_var_lib_t)
> +allow mon_test_t self:fifo_file rw_file_perms;
> +corecmd_exec_bin(mon_test_t)
> +miscfiles_read_localization(mon_test_t)
> +files_read_usr_files(mon_test_t)
> +fs_getattr_xattr_fs(mon_test_t)
> +sysnet_read_config(mon_test_t)
> +auth_use_nsswitch(mon_test_t)
> +dev_read_urand(mon_test_t)
> +corenet_tcp_connect_all_ports(mon_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_test_t)
> +kernel_dontaudit_getattr_core_if(mon_test_t)
> +domain_read_all_domains_state(mon_test_t)
> +corecmd_exec_shell(mon_test_t)
> +kernel_getattr_proc(mon_test_t)
> +kernel_read_system_state(mon_test_t)
> +kernel_read_software_raid_state(mon_test_t)
> +netutils_domtrans_ping(mon_test_t)
> +fs_search_nfs(mon_test_t)
> +fs_getattr_nfs(mon_test_t)
> +
> +
> +optional_policy(`
> +	bind_read_zone(mon_test_t)
> +')
> +
> +optional_policy(`
> +	sudo_role_template(system, system_r, mon_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in ./policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in	2016-07-28 20:33:39.959961616 +1000
> +++ ./policy/modules/kernel/corenetwork.te.in	2016-07-31 19:01:48.341529000 +1000
> @@ -176,6 +176,7 @@
>  network_port(memcache, tcp,11211,s0, udp,11211,s0)
>  network_port(milter) # no defined portcon
>  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
>  network_port(monopd, tcp,1234,s0)
>  network_port(mountd, tcp,20048,s0, udp,20048,s0)
>  network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

-- 
Chris PeBenito