commit: d50fd860e9ea0385216f93170f5c3a4a4e1d9aee
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 19 21:35:16 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d50fd860
Monit policy from Russell Coker and cgzones.
policy/modules/contrib/monit.fc | 13 +++++
policy/modules/contrib/monit.if | 1 +
policy/modules/contrib/monit.te | 117 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 131 insertions(+)
diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc
new file mode 100644
index 00000000..d47fa153
--- /dev/null
+++ b/policy/modules/contrib/monit.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/monit --
gen_context(system_u:object_r:monit_initrc_exec_t,s9)
+/etc/monit(/.*)?
gen_context(system_u:object_r:monit_etc_t,s0)
+
+/run/monit\.pid --
gen_context(system_u:object_r:monit_run_t,s0)
+
+/usr/bin/monit --
gen_context(system_u:object_r:monit_exec_t,s0)
+
+/usr/lib/systemd/system/monit.* --
gen_context(system_u:object_r:monit_unit_t,s0)
+
+/var/lib/monit(/.*)?
gen_context(system_u:object_r:monit_var_lib_t,s0)
+
+/var/log/monit\.log.* --
gen_context(system_u:object_r:monit_log_t,s0)
+
diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if
new file mode 100644
index 00000000..d387f435
--- /dev/null
+++ b/policy/modules/contrib/monit.if
@@ -0,0 +1 @@
+## <summary>Monit system monitoring daemon</summary>
diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te
new file mode 100644
index 00000000..93403779
--- /dev/null
+++ b/policy/modules/contrib/monit.te
@@ -0,0 +1,117 @@
+policy_module(monit, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow monit to start/stop services
+## </p>
+## </desc>
+gen_tunable(monit_startstop_services, false)
+
+attribute_role monit_interactive_roles;
+
+type monit_t;
+type monit_exec_t;
+init_daemon_domain(monit_t, monit_exec_t)
+
+type monit_etc_t;
+files_config_file(monit_etc_t)
+files_security_file(monit_etc_t) # may contain password for monit webinterface
+
+type monit_initrc_exec_t;
+init_script_file(monit_initrc_exec_t)
+
+type monit_log_t;
+logging_log_file(monit_log_t)
+
+type monit_run_t;
+files_pid_file(monit_run_t)
+
+type monit_unit_t;
+init_unit_file(monit_unit_t)
+
+type monit_var_lib_t;
+files_type(monit_var_lib_t)
+
+########################################
+#
+# Daemon policy
+#
+
+# dac_read_search : read /run/exim/*
+# net_raw : create raw sockets
+# sys_ptrace : trace processes
+allow monit_t self:capability { dac_read_search net_raw sys_ptrace };
+# kernel bug
+dontaudit monit_t self:capability dac_override;
+# setsockopt
+dontaudit monit_t self:capability net_admin;
+
+allow monit_t self:process { getpgid sigkill signal };
+allow monit_t self:fifo_file rw_fifo_file_perms;
+allow monit_t self:netlink_route_socket r_netlink_socket_perms;
+allow monit_t self:rawip_socket connected_socket_perms;
+allow monit_t self:sem rw_sem_perms;
+allow monit_t self:tcp_socket create_stream_socket_perms;
+allow monit_t self:udp_socket create_socket_perms;
+allow monit_t self:unix_stream_socket create_stream_socket_perms;
+
+allow monit_t monit_etc_t:dir list_dir_perms;
+allow monit_t monit_etc_t:file read_file_perms;
+allow monit_t monit_etc_t:lnk_file read_lnk_file_perms;
+
+allow monit_t monit_log_t:file { create read_file_perms append_file_perms };
+logging_log_filetrans(monit_t, monit_log_t, file)
+
+allow monit_t monit_run_t:file manage_file_perms;
+files_pid_filetrans(monit_t, monit_run_t, file)
+
+allow monit_t monit_var_lib_t:dir manage_dir_perms;
+allow monit_t monit_var_lib_t:file manage_file_perms;
+
+kernel_read_system_state(monit_t)
+
+corecmd_exec_bin(monit_t)
+corenet_tcp_bind_generic_node(monit_t)
+corenet_tcp_bind_monit_port(monit_t)
+corenet_tcp_connect_all_ports(monit_t)
+
+dev_read_sysfs(monit_t)
+dev_read_urand(monit_t)
+
+domain_getpgid_all_domains(monit_t)
+domain_read_all_domains_state(monit_t)
+
+files_read_all_pids(monit_t)
+
+fs_getattr_dos_fs(monit_t)
+fs_getattr_tmpfs(monit_t)
+fs_getattr_xattr_fs(monit_t)
+fs_search_dos(monit_t)
+
+storage_getattr_fixed_disk_dev(monit_t)
+
+auth_use_nsswitch(monit_t)
+
+miscfiles_read_localization(monit_t)
+
+sysnet_read_config(monit_t)
+
+ifdef(`init_systemd',`
+ tunable_policy(`monit_startstop_services',`
+ init_get_all_units_status(monit_t)
+ init_get_system_status(monit_t)
+ init_restart_script_service(monit_t)
+ init_start_all_units(monit_t)
+ init_stop_all_units(monit_t)
+ init_stream_connect(monit_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(monit_t)
+')
