commit: d50fd860e9ea0385216f93170f5c3a4a4e1d9aee Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Sun Feb 19 21:35:16 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Feb 21 07:06:20 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d50fd860
Monit policy from Russell Coker and cgzones. policy/modules/contrib/monit.fc | 13 +++++ policy/modules/contrib/monit.if | 1 + policy/modules/contrib/monit.te | 117 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+) diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc new file mode 100644 index 00000000..d47fa153 --- /dev/null +++ b/policy/modules/contrib/monit.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/monit -- gen_context(system_u:object_r:monit_initrc_exec_t,s9) +/etc/monit(/.*)? gen_context(system_u:object_r:monit_etc_t,s0) + +/run/monit\.pid -- gen_context(system_u:object_r:monit_run_t,s0) + +/usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) + +/usr/lib/systemd/system/monit.* -- gen_context(system_u:object_r:monit_unit_t,s0) + +/var/lib/monit(/.*)? gen_context(system_u:object_r:monit_var_lib_t,s0) + +/var/log/monit\.log.* -- gen_context(system_u:object_r:monit_log_t,s0) + diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if new file mode 100644 index 00000000..d387f435 --- /dev/null +++ b/policy/modules/contrib/monit.if @@ -0,0 +1 @@ +## <summary>Monit system monitoring daemon</summary> diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te new file mode 100644 index 00000000..93403779 --- /dev/null +++ b/policy/modules/contrib/monit.te @@ -0,0 +1,117 @@ +policy_module(monit, 1.0.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow monit to start/stop services +## </p> +## </desc> +gen_tunable(monit_startstop_services, false) + +attribute_role monit_interactive_roles; + +type monit_t; +type monit_exec_t; +init_daemon_domain(monit_t, monit_exec_t) + +type monit_etc_t; +files_config_file(monit_etc_t) +files_security_file(monit_etc_t) # may contain password for monit webinterface + +type monit_initrc_exec_t; +init_script_file(monit_initrc_exec_t) + +type monit_log_t; +logging_log_file(monit_log_t) + +type monit_run_t; +files_pid_file(monit_run_t) + +type monit_unit_t; +init_unit_file(monit_unit_t) + +type monit_var_lib_t; +files_type(monit_var_lib_t) + +######################################## +# +# Daemon policy +# + +# dac_read_search : read /run/exim/* +# net_raw : create raw sockets +# sys_ptrace : trace processes +allow monit_t self:capability { dac_read_search net_raw sys_ptrace }; +# kernel bug +dontaudit monit_t self:capability dac_override; +# setsockopt +dontaudit monit_t self:capability net_admin; + +allow monit_t self:process { getpgid sigkill signal }; +allow monit_t self:fifo_file rw_fifo_file_perms; +allow monit_t self:netlink_route_socket r_netlink_socket_perms; +allow monit_t self:rawip_socket connected_socket_perms; +allow monit_t self:sem rw_sem_perms; +allow monit_t self:tcp_socket create_stream_socket_perms; +allow monit_t self:udp_socket create_socket_perms; +allow monit_t self:unix_stream_socket create_stream_socket_perms; + +allow monit_t monit_etc_t:dir list_dir_perms; +allow monit_t monit_etc_t:file read_file_perms; +allow monit_t monit_etc_t:lnk_file read_lnk_file_perms; + +allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; +logging_log_filetrans(monit_t, monit_log_t, file) + +allow monit_t monit_run_t:file manage_file_perms; +files_pid_filetrans(monit_t, monit_run_t, file) + +allow monit_t monit_var_lib_t:dir manage_dir_perms; +allow monit_t monit_var_lib_t:file manage_file_perms; + +kernel_read_system_state(monit_t) + +corecmd_exec_bin(monit_t) +corenet_tcp_bind_generic_node(monit_t) +corenet_tcp_bind_monit_port(monit_t) +corenet_tcp_connect_all_ports(monit_t) + +dev_read_sysfs(monit_t) +dev_read_urand(monit_t) + +domain_getpgid_all_domains(monit_t) +domain_read_all_domains_state(monit_t) + +files_read_all_pids(monit_t) + +fs_getattr_dos_fs(monit_t) +fs_getattr_tmpfs(monit_t) +fs_getattr_xattr_fs(monit_t) +fs_search_dos(monit_t) + +storage_getattr_fixed_disk_dev(monit_t) + +auth_use_nsswitch(monit_t) + +miscfiles_read_localization(monit_t) + +sysnet_read_config(monit_t) + +ifdef(`init_systemd',` + tunable_policy(`monit_startstop_services',` + init_get_all_units_status(monit_t) + init_get_system_status(monit_t) + init_restart_script_service(monit_t) + init_start_all_units(monit_t) + init_stop_all_units(monit_t) + init_stream_connect(monit_t) + ') +') + +optional_policy(` + dbus_system_bus_client(monit_t) +')