[refpolicy] [PATCH] monit: update

[refpolicy] [PATCH] monit: update

[Christian Göttsche]

- usage of socket interface (/run/monit.socket as monit_runtime_t)
- allow simple checks (entropy, systemctl is-system-running, getenforce)
---
 monit.fc |  3 ++-
 monit.if |  4 ++--
 monit.te | 40 ++++++++++++++++++++++++++++------------
 3 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/monit.fc b/monit.fc
index 273aad3e..1cd0238e 100644
--- a/monit.fc
+++ b/monit.fc
@@ -2,7 +2,8 @@
 
 /etc/monit(/.*)?			gen_context(system_u:object_r:monit_conf_t,s0)
 
-/run/monit\.pid			--	gen_context(system_u:object_r:monit_pid_t,s0)
+/run/monit\.pid			--	gen_context(system_u:object_r:monit_runtime_t,s0)
+/run/monit\.socket		-s	gen_context(system_u:object_r:monit_runtime_t,s0)
 
 /usr/bin/monit			--	gen_context(system_u:object_r:monit_exec_t,s0)
 
diff --git a/monit.if b/monit.if
index d249dfbd..832cdca8 100644
--- a/monit.if
+++ b/monit.if
@@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
 interface(`monit_admin',`
 	gen_require(`
 		type monit_t, monit_conf_t, monit_initrc_exec_t;
-		type monit_log_t, monit_pid_t;
+		type monit_log_t, monit_runtime_t;
 		type monit_unit_t, monit_var_lib_t;
 	')
 
@@ -117,7 +117,7 @@ interface(`monit_admin',`
 	admin_pattern($1, monit_log_t)
 
 	files_search_pids($1)
-	admin_pattern($1, monit_pid_t)
+	admin_pattern($1, monit_runtime_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, monit_var_lib_t)
diff --git a/monit.te b/monit.te
index 9b7a605b..e9c940a1 100644
--- a/monit.te
+++ b/monit.te
@@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
 type monit_log_t;
 logging_log_file(monit_log_t)
 
-type monit_pid_t alias monit_run_t;
-files_pid_file(monit_pid_t)
+type monit_runtime_t alias monit_pid_t;
+files_pid_file(monit_runtime_t)
 
 type monit_unit_t;
 init_unit_file(monit_unit_t)
@@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
 dev_read_sysfs(monit_domain)
 dev_read_urand(monit_domain)
 
+files_getattr_all_mountpoints(monit_domain)
+
 fs_getattr_dos_fs(monit_domain)
 fs_getattr_dos_dirs(monit_domain)
 fs_getattr_tmpfs(monit_domain)
 fs_getattr_xattr_fs(monit_domain)
 
+miscfiles_read_generic_certs(monit_domain)
 miscfiles_read_localization(monit_domain)
 
+logging_send_syslog_msg(monit_domain)
+
 # disk usage of sd card
 storage_getattr_removable_dev(monit_domain)
+storage_getattr_fixed_disk_dev(monit_domain)
 
 ########################################
 #
@@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
 allow monit_t self:fifo_file rw_fifo_file_perms;
 allow monit_t self:rawip_socket connected_socket_perms;
 allow monit_t self:tcp_socket server_stream_socket_perms;
-allow monit_t self:unix_dgram_socket { connect create };
 
 allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
 logging_log_filetrans(monit_t, monit_log_t, file)
 
-allow monit_t monit_pid_t:file manage_file_perms;
-files_pid_filetrans(monit_t, monit_pid_t, file)
+allow monit_t monit_runtime_t:file manage_file_perms;
+allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
 
 allow monit_t monit_var_lib_t:dir manage_dir_perms;
 allow monit_t monit_var_lib_t:file manage_file_perms;
 
+# entropy
+kernel_read_kernel_sysctls(monit_t)
+kernel_read_vm_overcommit_sysctl(monit_t)
+
 auth_use_nsswitch(monit_t)
 
 corecmd_exec_bin(monit_t)
+corecmd_exec_shell(monit_t)
 
 corenet_tcp_bind_generic_node(monit_t)
 corenet_tcp_bind_monit_port(monit_t)
 corenet_tcp_connect_all_ports(monit_t)
 
+domain_getattr_all_domains(monit_t)
 domain_getpgid_all_domains(monit_t)
 domain_read_all_domains_state(monit_t)
 
 files_read_all_pids(monit_t)
 
-logging_send_syslog_msg(monit_t)
+selinux_get_enforce_mode(monit_t)
 
-ifdef(`hide_broken_symptoms',`
-	# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
-	dontaudit monit_t self:capability dac_override;
+userdom_dontaudit_search_user_home_dirs(monit_t)
+
+ifdef(`init_systemd',`
+	# systemctl is-system-running
+	init_stream_connect(monit_t)
+	init_get_system_status(monit_t)
 ')
 
 tunable_policy(`monit_startstop_services',`
 	init_get_all_units_status(monit_t)
-	init_get_system_status(monit_t)
 	init_start_all_units(monit_t)
 	init_stop_all_units(monit_t)
-	init_stream_connect(monit_t)
 ')
 
 optional_policy(`
@@ -136,9 +149,12 @@ optional_policy(`
 # Client policy
 #
 
+allow monit_cli_t monit_t:unix_stream_socket connectto;
+
 allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
 
-allow monit_cli_t monit_pid_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:file rw_file_perms;
+allow monit_cli_t monit_runtime_t:sock_file write;
 
 allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
 allow monit_cli_t monit_var_lib_t:file rw_file_perms;
-- 
2.15.1

[refpolicy] [PATCH] monit: update

[Chris PeBenito]

On 12/29/2017 03:20 PM, Christian G?ttsche via refpolicy wrote:
> - usage of socket interface (/run/monit.socket as monit_runtime_t)
> - allow simple checks (entropy, systemctl is-system-running, getenforce)
> ---
>   monit.fc |  3 ++-
>   monit.if |  4 ++--
>   monit.te | 40 ++++++++++++++++++++++++++++------------
>   3 files changed, 32 insertions(+), 15 deletions(-)
> 
> diff --git a/monit.fc b/monit.fc
> index 273aad3e..1cd0238e 100644
> --- a/monit.fc
> +++ b/monit.fc
> @@ -2,7 +2,8 @@
>   
>   /etc/monit(/.*)?			gen_context(system_u:object_r:monit_conf_t,s0)
>   
> -/run/monit\.pid			--	gen_context(system_u:object_r:monit_pid_t,s0)
> +/run/monit\.pid			--	gen_context(system_u:object_r:monit_runtime_t,s0)
> +/run/monit\.socket		-s	gen_context(system_u:object_r:monit_runtime_t,s0)
>   
>   /usr/bin/monit			--	gen_context(system_u:object_r:monit_exec_t,s0)
>   
> diff --git a/monit.if b/monit.if
> index d249dfbd..832cdca8 100644
> --- a/monit.if
> +++ b/monit.if
> @@ -102,7 +102,7 @@ interface(`monit_startstop_service',`
>   interface(`monit_admin',`
>   	gen_require(`
>   		type monit_t, monit_conf_t, monit_initrc_exec_t;
> -		type monit_log_t, monit_pid_t;
> +		type monit_log_t, monit_runtime_t;
>   		type monit_unit_t, monit_var_lib_t;
>   	')
>   
> @@ -117,7 +117,7 @@ interface(`monit_admin',`
>   	admin_pattern($1, monit_log_t)
>   
>   	files_search_pids($1)
> -	admin_pattern($1, monit_pid_t)
> +	admin_pattern($1, monit_runtime_t)
>   
>   	files_search_var_lib($1)
>   	admin_pattern($1, monit_var_lib_t)
> diff --git a/monit.te b/monit.te
> index 9b7a605b..e9c940a1 100644
> --- a/monit.te
> +++ b/monit.te
> @@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t;
>   type monit_log_t;
>   logging_log_file(monit_log_t)
>   
> -type monit_pid_t alias monit_run_t;
> -files_pid_file(monit_pid_t)
> +type monit_runtime_t alias monit_pid_t;
> +files_pid_file(monit_runtime_t)
>   
>   type monit_unit_t;
>   init_unit_file(monit_unit_t)
> @@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain)
>   dev_read_sysfs(monit_domain)
>   dev_read_urand(monit_domain)
>   
> +files_getattr_all_mountpoints(monit_domain)
> +
>   fs_getattr_dos_fs(monit_domain)
>   fs_getattr_dos_dirs(monit_domain)
>   fs_getattr_tmpfs(monit_domain)
>   fs_getattr_xattr_fs(monit_domain)
>   
> +miscfiles_read_generic_certs(monit_domain)
>   miscfiles_read_localization(monit_domain)
>   
> +logging_send_syslog_msg(monit_domain)
> +
>   # disk usage of sd card
>   storage_getattr_removable_dev(monit_domain)
> +storage_getattr_fixed_disk_dev(monit_domain)
>   
>   ########################################
>   #
> @@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin;
>   allow monit_t self:fifo_file rw_fifo_file_perms;
>   allow monit_t self:rawip_socket connected_socket_perms;
>   allow monit_t self:tcp_socket server_stream_socket_perms;
> -allow monit_t self:unix_dgram_socket { connect create };
>   
>   allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
>   logging_log_filetrans(monit_t, monit_log_t, file)
>   
> -allow monit_t monit_pid_t:file manage_file_perms;
> -files_pid_filetrans(monit_t, monit_pid_t, file)
> +allow monit_t monit_runtime_t:file manage_file_perms;
> +allow monit_t monit_runtime_t:sock_file manage_sock_file_perms;
> +files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file })
>   
>   allow monit_t monit_var_lib_t:dir manage_dir_perms;
>   allow monit_t monit_var_lib_t:file manage_file_perms;
>   
> +# entropy
> +kernel_read_kernel_sysctls(monit_t)
> +kernel_read_vm_overcommit_sysctl(monit_t)
> +
>   auth_use_nsswitch(monit_t)
>   
>   corecmd_exec_bin(monit_t)
> +corecmd_exec_shell(monit_t)
>   
>   corenet_tcp_bind_generic_node(monit_t)
>   corenet_tcp_bind_monit_port(monit_t)
>   corenet_tcp_connect_all_ports(monit_t)
>   
> +domain_getattr_all_domains(monit_t)
>   domain_getpgid_all_domains(monit_t)
>   domain_read_all_domains_state(monit_t)
>   
>   files_read_all_pids(monit_t)
>   
> -logging_send_syslog_msg(monit_t)
> +selinux_get_enforce_mode(monit_t)
>   
> -ifdef(`hide_broken_symptoms',`
> -	# kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6
> -	dontaudit monit_t self:capability dac_override;
> +userdom_dontaudit_search_user_home_dirs(monit_t)
> +
> +ifdef(`init_systemd',`
> +	# systemctl is-system-running
> +	init_stream_connect(monit_t)
> +	init_get_system_status(monit_t)
>   ')
>   
>   tunable_policy(`monit_startstop_services',`
>   	init_get_all_units_status(monit_t)
> -	init_get_system_status(monit_t)
>   	init_start_all_units(monit_t)
>   	init_stop_all_units(monit_t)
> -	init_stream_connect(monit_t)
>   ')
>   
>   optional_policy(`
> @@ -136,9 +149,12 @@ optional_policy(`
>   # Client policy
>   #
>   
> +allow monit_cli_t monit_t:unix_stream_socket connectto;
> +
>   allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms };
>   
> -allow monit_cli_t monit_pid_t:file rw_file_perms;
> +allow monit_cli_t monit_runtime_t:file rw_file_perms;
> +allow monit_cli_t monit_runtime_t:sock_file write;
>   
>   allow monit_cli_t monit_var_lib_t:dir search_dir_perms;
>   allow monit_cli_t monit_var_lib_t:file rw_file_perms;

Merged.

-- 
Chris PeBenito