From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] mon policy again
Date: Wed, 8 Feb 2017 17:18:20 -0500 [thread overview]
Message-ID: <cfa2bfec-cc1b-1b32-b8f1-60623fa0e866@ieee.org> (raw)
In-Reply-To: <20170206051315.byxad4lugupfwykp@athena.coker.com.au>
On 02/06/17 00:13, Russell Coker via refpolicy wrote:
> Here is another version of the mon policy including requested changes.
I've merged this but made some changes:
* Adjusted to fit style
* Moved the init fifo part to init_getattr_initctl, adjusting that
interface implementation accordingly
* Dropped the sudo for the time being (I realize it likely breaks
things) as the user role template isn't intended to be called like that.
A specific sudo for system use should be created in the sudo module
(not calling the role template there either). It's probably a good
place to use attributes to simplify the implementation across the system
instance and user template. Something like this should probably exist
for su too.
* Dropped one files_* call which didn't exist upstream (I don't remember
the name)
* Removed aliases, as the original types never existed upstream.
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000
> +++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100
> @@ -38,6 +38,7 @@
>
> dev_list_all_dev_nodes($1)
> allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
> + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
> ')
>
> ########################################
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1,11 @@
> +
> +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +
> +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100
> @@ -0,0 +1,213 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_net_test_t;
> +typealias mon_net_test_t alias mon_test_t;
> +type mon_net_test_exec_t;
> +typealias mon_net_test_exec_t alias mon_test_exec_t;
> +
> +domain_type(mon_net_test_t)
> +domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
> +role system_r types mon_net_test_t;
> +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
> +
> +type mon_local_test_t;
> +type mon_local_test_exec_t;
> +
> +domain_type(mon_local_test_t)
> +domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
> +role system_r types mon_local_test_t;
> +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +dev_read_sysfs(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> + mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_net_test_t is for running tests that need network access
> +#
> +
> +allow mon_net_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_net_test_t, mon_net_test_exec_t)
> +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +corenet_tcp_connect_all_ports(mon_net_test_t)
> +corenet_udp_bind_generic_node(mon_net_test_t)
> +fs_getattr_xattr_fs(mon_net_test_t)
> +kernel_dontaudit_getattr_core_if(mon_net_test_t)
> +kernel_getattr_proc(mon_net_test_t)
> +kernel_read_system_state(mon_net_test_t)
> +sysnet_read_config(mon_net_test_t)
> +
> +auth_use_nsswitch(mon_net_test_t)
> +corecmd_exec_bin(mon_net_test_t)
> +corecmd_exec_shell(mon_net_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
> +dev_getattr_sysfs(mon_net_test_t)
> +dev_read_sysfs(mon_net_test_t)
> +dev_read_urand(mon_net_test_t)
> +files_read_usr_files(mon_net_test_t)
> +miscfiles_read_certs(mon_net_test_t)
> +miscfiles_read_localization(mon_net_test_t)
> +netutils_domtrans_ping(mon_net_test_t)
> +
> +optional_policy(`
> + bind_read_zone(mon_net_test_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_local_test_t is for running tests that don't need network access
> +# this domain has much more access to the local system!
> +#
> +# try not to use dontaudit rules for this
> +#
> +
> +allow mon_local_test_t self:capability sys_admin;
> +allow mon_local_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_local_test_t, mon_local_test_exec_t)
> +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
> +fs_getattr_nfs(mon_local_test_t)
> +fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_hugetlbfs(mon_local_test_t)
> +fs_list_tmpfs(mon_local_test_t)
> +fs_search_nfs(mon_local_test_t)
> +kernel_dontaudit_getattr_core_if(mon_local_test_t)
> +kernel_getattr_proc(mon_local_test_t)
> +kernel_read_software_raid_state(mon_local_test_t)
> +kernel_read_system_state(mon_local_test_t)
> +storage_getattr_fixed_disk_dev(mon_local_test_t)
> +storage_getattr_removable_dev(mon_local_test_t)
> +
> +application_exec_all(mon_local_test_t)
> +auth_use_nsswitch(mon_local_test_t)
> +corecmd_exec_bin(mon_local_test_t)
> +corecmd_exec_shell(mon_local_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
> +dev_getattr_sysfs(mon_local_test_t)
> +dev_read_urand(mon_local_test_t)
> +dev_read_sysfs(mon_local_test_t)
> +domain_read_all_domains_state(mon_local_test_t)
> +files_read_usr_files(mon_local_test_t)
> +files_search_mnt(mon_local_test_t)
> +files_search_spool(mon_local_test_t)
> +fs_search_auto_mountpoints(mon_local_test_t)
> +getattr_init_fifo(mon_local_test_t)
> +logging_send_syslog_msg(mon_local_test_t)
> +miscfiles_read_localization(mon_local_test_t)
> +rpc_read_nfs_content(mon_local_test_t)
> +sysnet_read_config(mon_local_test_t)
> +term_getattr_generic_ptys(mon_local_test_t)
> +term_list_ptys(mon_local_test_t)
> +
> +optional_policy(`
> + files_list_boot(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + sudo_role_template(system, system_r, mon_local_test_t)
> + corecmd_bin_entry_type(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + gpm_getattr_gpmctl(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + postfix_search_spool(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + xserver_rw_console(mon_local_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100
> +++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100
> @@ -176,6 +176,7 @@
> network_port(memcache, tcp,11211,s0, udp,11211,s0)
> network_port(milter) # no defined portcon
> network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
> network_port(monit, tcp,2812,s0)
> network_port(monopd, tcp,1234,s0)
> network_port(mountd, tcp,20048,s0, udp,20048,s0)
--
Chris PeBenito
next prev parent reply other threads:[~2017-02-08 22:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-06 5:13 [refpolicy] [PATCH] mon policy again Russell Coker
2017-02-08 0:02 ` Chris PeBenito
2017-02-08 2:01 ` Russell Coker
2017-02-08 22:18 ` Chris PeBenito [this message]
2017-02-09 1:21 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfa2bfec-cc1b-1b32-b8f1-60623fa0e866@ieee.org \
--to=pebenito@ieee.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.