mon.te patches as well as some fstools patches related to it (#697)

* Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker <russell@coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker <russell@coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker <russell@coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker <russell@coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker <russell@coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
author: Russell Coker <russell@coker.com.au> 2023-09-28 23:55:56 +1000
committer: Kenton Groombridge <concord@gentoo.org> 2023-10-06 11:30:52 -0400
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 (patch)
tree: 14fadf3c3a98b3939e3d811495af90a0eabeb159
parent: misc small patches for cron policy (#701) (diff)
download: hardened-refpolicy-3cf4d89d.tar.gz
hardened-refpolicy-3cf4d89d.tar.bz2
hardened-refpolicy-3cf4d89d.zip
9 files changed, 72 insertions, 10 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7..591aa64d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -436,6 +436,24 @@ interface(`files_tmpfs_file',`
 
 ########################################
 ## <summary>
+##	dontaudit getattr on tmpfs files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not have stat on tmpfs files audited
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+	gen_require(`
+		attribute tmpfsfile;
+	')
+
+	dontaudit $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of all directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e..8156ac08 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
 	')
 
 	optional_policy(`
-		storage_dev_filetrans_fixed_disk(kernel_t)
+		storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
 		storage_setattr_fixed_disk_dev(kernel_t)
 		storage_create_fixed_disk_dev(kernel_t)
 		storage_delete_fixed_disk_dev(kernel_t)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a91..777caea6 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
 ## <param name="filename" optional="true">
 ##	<summary>
 ##	Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
 		type fixed_disk_device_t;
 	')
 
-	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+	dev_filetrans($1, fixed_disk_device_t, $2, $3)
 ')
 
 ########################################
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a34987..bbf0496b 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
 	mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+	# for config of xmpp sending program
+	xdg_read_config_files(mon_t)
+')
+
 ########################################
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
 	mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+	snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
-allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:process { getsched sigkill sigstop signal };
+allow mon_local_test_t self:cap_userns sys_ptrace;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -184,8 +193,10 @@ dev_getattr_sysfs(mon_local_test_t)
 dev_read_urand(mon_local_test_t)
 dev_read_sysfs(mon_local_test_t)
 
+domain_getattr_all_domains(mon_local_test_t)
 domain_read_all_domains_state(mon_local_test_t)
 
+files_dontaudit_getattr_all_tmpfs_files(mon_local_test_t)
 files_read_usr_files(mon_local_test_t)
 files_search_mnt(mon_local_test_t)
 files_search_spool(mon_local_test_t)
@@ -194,9 +205,18 @@ files_list_boot(mon_local_test_t)
 fs_search_auto_mountpoints(mon_local_test_t)
 fs_getattr_nfs(mon_local_test_t)
 fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
 fs_list_hugetlbfs(mon_local_test_t)
 fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
 fs_search_nfs(mon_local_test_t)
+fstools_domtrans(mon_local_test_t)
+
+# for selinux.monitor
+selinux_get_enforce_mode(mon_local_test_t)
+selinux_getattr_fs(mon_local_test_t)
+seutil_search_default_contexts(mon_local_test_t)
 
 storage_getattr_fixed_disk_dev(mon_local_test_t)
 storage_getattr_removable_dev(mon_local_test_t)
@@ -208,12 +228,14 @@ application_exec_all(mon_local_test_t)
 
 auth_use_nsswitch(mon_local_test_t)
 
+fsdaemon_read_lib(mon_local_test_t)
 init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
 miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
 
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index b21fab5f..32c80f71 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -108,7 +108,7 @@ tunable_policy(`smartmon_3ware',`
 
 	storage_create_fixed_disk_dev(fsdaemon_t)
 	storage_delete_fixed_disk_dev(fsdaemon_t)
-	storage_dev_filetrans_fixed_disk(fsdaemon_t)
+	storage_dev_filetrans_fixed_disk(fsdaemon_t, blk_file)
 
 	selinux_validate_context(fsdaemon_t)
 
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 0e3a9896..b2d22e90 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -34,6 +34,7 @@ ifdef(`distro_gentoo',`
 
 # ipc_lock is for losetup
 allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit fsadm_t self:capability net_admin;
 allow fsadm_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_fifo_file_perms;
@@ -123,6 +124,8 @@ files_manage_lost_found(fsadm_t)
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
 
+fs_getattr_cgroup(fsadm_t)
+fs_getattr_dos_fs(fsadm_t)
 fs_rw_all_image_files(fsadm_t)
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
@@ -135,6 +138,8 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
+# for fstrim
+files_manage_boot_dirs(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
@@ -145,6 +150,8 @@ mls_file_write_all_levels(fsadm_t)
 
 selinux_getattr_fs(fsadm_t)
 
+storage_dev_filetrans_fixed_disk(fsadm_t, chr_file, "megaraid_sas_ioctl_node")
+storage_manage_fixed_disk(fsadm_t)
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
@@ -157,6 +164,8 @@ term_use_console(fsadm_t)
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
+# for systemd-fsckd to access /proc/1/environ
+init_read_state(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
 logging_send_syslog_msg(fsadm_t)
@@ -200,6 +209,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fsdaemon_read_lib(fsadm_t)
+')
+
+optional_policy(`
 	livecd_rw_tmp_files(fsadm_t)
 ')
 
@@ -213,6 +226,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mon_dontaudit_use_fds(fsadm_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(fsadm_t)
 ')
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 713558ad..457fac07 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1043,7 +1043,7 @@ ifdef(`distro_redhat',`
 	fs_manage_tmpfs_files(initrc_t)
 
 	storage_manage_fixed_disk(initrc_t)
-	storage_dev_filetrans_fixed_disk(initrc_t)
+	storage_dev_filetrans_fixed_disk(initrc_t, blk_file)
 	storage_getattr_removable_dev(initrc_t)
 
 	# readahead asks for these
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f82dd8f8..82c4844d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -190,7 +190,7 @@ storage_dontaudit_read_removable_device(lvm_t)
 # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
 # and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
 # cjp: needs to create an interface here for fixed disk create
-storage_dev_filetrans_fixed_disk(lvm_t)
+storage_dev_filetrans_fixed_disk(lvm_t, blk_file)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index e10e3185..907facf8 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -73,7 +73,7 @@ fs_dontaudit_list_tmpfs(mdadm_t)
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
 
-storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t, blk_file)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)
author	Russell Coker <russell@coker.com.au>	2023-09-28 23:55:56 +1000
committer	Kenton Groombridge <concord@gentoo.org>	2023-10-06 11:30:52 -0400
commit	3cf4d89db3171671a05868dd5ecaf933c49fcaa4 (patch)
tree	14fadf3c3a98b3939e3d811495af90a0eabeb159
parent	misc small patches for cron policy (#701) (diff)
download	hardened-refpolicy-3cf4d89d.tar.gz hardened-refpolicy-3cf4d89d.tar.bz2 hardened-refpolicy-3cf4d89d.zip