From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 10614138332 for ; Thu, 18 Jan 2018 16:37:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 32683E08A2; Thu, 18 Jan 2018 16:37:11 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 01D25E08A2 for ; Thu, 18 Jan 2018 16:37:10 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6C238335C3A for ; Thu, 18 Jan 2018 16:37:09 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E203E1BF for ; Thu, 18 Jan 2018 16:37:06 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1516292774.43da5040356ecd17cf2ca9c31ef4a6ea5141639b.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/monit.fc policy/modules/contrib/monit.if policy/modules/contrib/monit.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 43da5040356ecd17cf2ca9c31ef4a6ea5141639b X-VCS-Branch: master Date: Thu, 18 Jan 2018 16:37:06 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c970385d-69bc-4afa-8209-29736218a107 X-Archives-Hash: 803d1c263b02bc1a0a5e155d498a8f5f commit: 43da5040356ecd17cf2ca9c31ef4a6ea5141639b Author: Christian Göttsche googlemail com> AuthorDate: Fri Dec 29 20:20:06 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Thu Jan 18 16:26:14 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=43da5040 monit: update - usage of socket interface (/run/monit.socket as monit_runtime_t) - allow simple checks (entropy, systemctl is-system-running, getenforce) policy/modules/contrib/monit.fc | 3 ++- policy/modules/contrib/monit.if | 4 ++-- policy/modules/contrib/monit.te | 40 ++++++++++++++++++++++++++++------------ 3 files changed, 32 insertions(+), 15 deletions(-) diff --git a/policy/modules/contrib/monit.fc b/policy/modules/contrib/monit.fc index 273aad3e..1cd0238e 100644 --- a/policy/modules/contrib/monit.fc +++ b/policy/modules/contrib/monit.fc @@ -2,7 +2,8 @@ /etc/monit(/.*)? gen_context(system_u:object_r:monit_conf_t,s0) -/run/monit\.pid -- gen_context(system_u:object_r:monit_pid_t,s0) +/run/monit\.pid -- gen_context(system_u:object_r:monit_runtime_t,s0) +/run/monit\.socket -s gen_context(system_u:object_r:monit_runtime_t,s0) /usr/bin/monit -- gen_context(system_u:object_r:monit_exec_t,s0) diff --git a/policy/modules/contrib/monit.if b/policy/modules/contrib/monit.if index d249dfbd..832cdca8 100644 --- a/policy/modules/contrib/monit.if +++ b/policy/modules/contrib/monit.if @@ -102,7 +102,7 @@ interface(`monit_startstop_service',` interface(`monit_admin',` gen_require(` type monit_t, monit_conf_t, monit_initrc_exec_t; - type monit_log_t, monit_pid_t; + type monit_log_t, monit_runtime_t; type monit_unit_t, monit_var_lib_t; ') @@ -117,7 +117,7 @@ interface(`monit_admin',` admin_pattern($1, monit_log_t) files_search_pids($1) - admin_pattern($1, monit_pid_t) + admin_pattern($1, monit_runtime_t) files_search_var_lib($1) admin_pattern($1, monit_var_lib_t) diff --git a/policy/modules/contrib/monit.te b/policy/modules/contrib/monit.te index 9b7a605b..e9c940a1 100644 --- a/policy/modules/contrib/monit.te +++ b/policy/modules/contrib/monit.te @@ -33,8 +33,8 @@ role monit_cli_roles types monit_cli_t; type monit_log_t; logging_log_file(monit_log_t) -type monit_pid_t alias monit_run_t; -files_pid_file(monit_pid_t) +type monit_runtime_t alias monit_pid_t; +files_pid_file(monit_runtime_t) type monit_unit_t; init_unit_file(monit_unit_t) @@ -63,15 +63,21 @@ kernel_read_system_state(monit_domain) dev_read_sysfs(monit_domain) dev_read_urand(monit_domain) +files_getattr_all_mountpoints(monit_domain) + fs_getattr_dos_fs(monit_domain) fs_getattr_dos_dirs(monit_domain) fs_getattr_tmpfs(monit_domain) fs_getattr_xattr_fs(monit_domain) +miscfiles_read_generic_certs(monit_domain) miscfiles_read_localization(monit_domain) +logging_send_syslog_msg(monit_domain) + # disk usage of sd card storage_getattr_removable_dev(monit_domain) +storage_getattr_fixed_disk_dev(monit_domain) ######################################## # @@ -88,43 +94,50 @@ dontaudit monit_t self:capability net_admin; allow monit_t self:fifo_file rw_fifo_file_perms; allow monit_t self:rawip_socket connected_socket_perms; allow monit_t self:tcp_socket server_stream_socket_perms; -allow monit_t self:unix_dgram_socket { connect create }; allow monit_t monit_log_t:file { create read_file_perms append_file_perms }; logging_log_filetrans(monit_t, monit_log_t, file) -allow monit_t monit_pid_t:file manage_file_perms; -files_pid_filetrans(monit_t, monit_pid_t, file) +allow monit_t monit_runtime_t:file manage_file_perms; +allow monit_t monit_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(monit_t, monit_runtime_t, { file sock_file }) allow monit_t monit_var_lib_t:dir manage_dir_perms; allow monit_t monit_var_lib_t:file manage_file_perms; +# entropy +kernel_read_kernel_sysctls(monit_t) +kernel_read_vm_overcommit_sysctl(monit_t) + auth_use_nsswitch(monit_t) corecmd_exec_bin(monit_t) +corecmd_exec_shell(monit_t) corenet_tcp_bind_generic_node(monit_t) corenet_tcp_bind_monit_port(monit_t) corenet_tcp_connect_all_ports(monit_t) +domain_getattr_all_domains(monit_t) domain_getpgid_all_domains(monit_t) domain_read_all_domains_state(monit_t) files_read_all_pids(monit_t) -logging_send_syslog_msg(monit_t) +selinux_get_enforce_mode(monit_t) -ifdef(`hide_broken_symptoms',` - # kernel bug: https://github.com/SELinuxProject/selinux-kernel/issues/6 - dontaudit monit_t self:capability dac_override; +userdom_dontaudit_search_user_home_dirs(monit_t) + +ifdef(`init_systemd',` + # systemctl is-system-running + init_stream_connect(monit_t) + init_get_system_status(monit_t) ') tunable_policy(`monit_startstop_services',` init_get_all_units_status(monit_t) - init_get_system_status(monit_t) init_start_all_units(monit_t) init_stop_all_units(monit_t) - init_stream_connect(monit_t) ') optional_policy(` @@ -136,9 +149,12 @@ optional_policy(` # Client policy # +allow monit_cli_t monit_t:unix_stream_socket connectto; + allow monit_cli_t monit_log_t:file { append_file_perms read_file_perms }; -allow monit_cli_t monit_pid_t:file rw_file_perms; +allow monit_cli_t monit_runtime_t:file rw_file_perms; +allow monit_cli_t monit_runtime_t:sock_file write; allow monit_cli_t monit_var_lib_t:dir search_dir_perms; allow monit_cli_t monit_var_lib_t:file rw_file_perms;