fixed icinga policy
This commit is contained in:
parent
4c31414327
commit
43fb666dc8
GPG Key ID:
18524638BE25530A
|
|
@ -1,3 +1,3 @@
|
|||
AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
|
||||
AUX gentoonize.patch 4405 BLAKE2B 9821c6bfcbe06f6318173c02d1bf31f49a4e84214de8dcec471229246226603992b5fd251352f4d69a7e04c595d7aacbaa661323bc49fe162320fdc3e6d74520 SHA512 0eef0cb9d1a376bae75582eaca5daec42f833c79a8614839f6018d3ac6df5b0755ea2830727bf15df331566ecedd52de11850c5eb4a65981996d3886f6f461a0
|
||||
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
|
||||
EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 18:29:52.446884000 +0200
|
||||
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 18:39:00.603857209 +0200
|
||||
@@ -41,7 +41,6 @@
|
||||
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-23 12:30:01.124718236 +0200
|
||||
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-23 12:32:01.098712372 +0200
|
||||
@@ -41,13 +41,14 @@
|
||||
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
|
||||
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
|
||||
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
||||
|
|
@ -8,122 +8,100 @@
|
|||
type httpd_t; type system_mail_t;
|
||||
type devlog_t;
|
||||
role staff_r;
|
||||
@@ -58,7 +57,6 @@
|
||||
attribute unreserved_port_type;
|
||||
}
|
||||
|
||||
+role icinga2adm_r;
|
||||
+
|
||||
type icinga2_t;
|
||||
type icinga2_exec_t;
|
||||
init_daemon_domain(icinga2_t, icinga2_exec_t)
|
||||
@@ -58,7 +59,12 @@
|
||||
init_script_file(icinga2_initrc_exec_t)
|
||||
|
||||
type icinga2_unit_file_t;
|
||||
-systemd_unit_file(icinga2_unit_file_t)
|
||||
+ifndef(`distro_gentoo', `
|
||||
+ systemd_unit_file(icinga2_unit_file_t)
|
||||
+')
|
||||
+ifdef(`distro_gentoo', `
|
||||
+ init_script_file(icinga2_unit_file_t)
|
||||
+')
|
||||
|
||||
type icinga2_etc_t;
|
||||
files_config_file(icinga2_etc_t)
|
||||
@@ -155,7 +153,6 @@
|
||||
@@ -155,7 +161,12 @@
|
||||
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
||||
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
||||
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
||||
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||
+ ')
|
||||
+ icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||
+')
|
||||
|
||||
# should be moved nagios.te
|
||||
nagios_plugin_template(notification)
|
||||
@@ -176,7 +173,6 @@
|
||||
@@ -176,7 +187,9 @@
|
||||
')
|
||||
icinga2_dontaudit_leaks_fifo(system_mail_t)
|
||||
# hipsaint notification
|
||||
-auth_read_passwd(nagios_notification_plugin_t)
|
||||
+ifndef(`distro_gentoo', `
|
||||
+ auth_read_passwd(nagios_notification_plugin_t)
|
||||
+')
|
||||
sysnet_read_config(nagios_notification_plugin_t)
|
||||
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
|
||||
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -216,19 +212,8 @@
|
||||
@@ -216,16 +229,13 @@
|
||||
selinux_compute_access_vector(icinga2_t)
|
||||
|
||||
dbus_send_system_bus(icinga2_t)
|
||||
- dbus_stream_connect_system_dbusd(icinga2_t)
|
||||
- systemd_dbus_chat_logind(icinga2_t)
|
||||
- # Without this it works but is very slow
|
||||
- systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
||||
systemd_dbus_chat_logind(icinga2_t)
|
||||
# Without this it works but is very slow
|
||||
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
optional_policy(`
|
||||
- tunable_policy(`icinga2_run_sudo',`
|
||||
- sudo_exec(icinga2_t)
|
||||
- ')
|
||||
-')
|
||||
-
|
||||
-
|
||||
+ tunable_policy(`icinga2_run_sudo')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -254,6 +239,8 @@
|
||||
# Icinga2 Admin Role
|
||||
#
|
||||
|
||||
+role icinga2adm_r;
|
||||
+
|
||||
userdom_unpriv_user_template(icinga2adm)
|
||||
|
||||
icinga2_admin(icinga2adm_t, icinga2adm_r)
|
||||
@@ -271,5 +258,27 @@
|
||||
@@ -271,5 +281,10 @@
|
||||
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
||||
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
||||
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
||||
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||
+ ')
|
||||
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||
+')
|
||||
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
|
||||
+
|
||||
+# Feffestuff
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type virt_var_lib_t;
|
||||
+ type virt_image_t;
|
||||
+ ')
|
||||
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
|
||||
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
|
||||
+')
|
||||
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
|
||||
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
|
||||
+search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type postfix_data_t;
|
||||
+ ')
|
||||
+ list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
|
||||
+ exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
|
||||
+ postfix_exec_master(nagios_mail_plugin_t)
|
||||
+ postfix_domtrans_postqueue(nagios_mail_plugin_t)
|
||||
+')
|
||||
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 18:44:49.111840177 +0200
|
||||
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 18:45:18.317838749 +0200
|
||||
@@ -40,30 +40,6 @@
|
||||
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-23 12:30:13.197717646 +0200
|
||||
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-23 12:31:03.445715190 +0200
|
||||
@@ -54,9 +54,11 @@
|
||||
type icinga2_unit_file_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Execute icinga2 daemon in the icinga2 domain.
|
||||
-## </summary>
|
||||
-## <param name="domain">
|
||||
-## <summary>
|
||||
-## Domain allowed to transition.
|
||||
-## </summary>
|
||||
-## </param>
|
||||
-#
|
||||
-interface(`icinga2_systemctl',`
|
||||
- gen_require(`
|
||||
- type icinga2_t;
|
||||
- type icinga2_unit_file_t;
|
||||
- ')
|
||||
-
|
||||
- systemd_exec_systemctl($1)
|
||||
- allow $1 icinga2_unit_file_t:file read_file_perms;
|
||||
+ ifndef(`distro_gentoo', `
|
||||
+ systemd_exec_systemctl($1)
|
||||
+ allow $1 icinga2_unit_file_t:service manage_service_perms;
|
||||
+ ')
|
||||
allow $1 icinga2_unit_file_t:file read_file_perms;
|
||||
- allow $1 icinga2_unit_file_t:service manage_service_perms;
|
||||
-
|
||||
- ps_process_pattern($1, icinga2_t)
|
||||
- init_dbus_chat($1)
|
||||
-')
|
||||
-
|
||||
-########################################
|
||||
-## <summary>
|
||||
## Allow the specified domain to read
|
||||
## icinga2 configuration files.
|
||||
## </summary>
|
||||
@@ -289,7 +265,7 @@
|
||||
|
||||
ps_process_pattern($1, icinga2_t)
|
||||
init_dbus_chat($1)
|
||||
@@ -289,7 +291,7 @@
|
||||
allow $1 icinga2_t:process { signal_perms };
|
||||
ps_process_pattern($1, icinga2_t)
|
||||
|
||||
|
|
@ -132,18 +110,19 @@
|
|||
allow $1 icinga2_t:process ptrace;
|
||||
')
|
||||
|
||||
@@ -312,14 +288,8 @@
|
||||
admin_pattern($1, icinga2_spool_t)
|
||||
admin_pattern($1, icinga2_cache_t)
|
||||
@@ -314,11 +316,13 @@
|
||||
|
||||
- icinga2_systemctl($1)
|
||||
icinga2_systemctl($1)
|
||||
admin_pattern($1, icinga2_unit_file_t)
|
||||
- allow $1 icinga2_unit_file_t:service all_service_perms;
|
||||
|
||||
- optional_policy(`
|
||||
- systemd_passwd_agent_exec($1)
|
||||
- systemd_read_fifo_file_passwd_run($1)
|
||||
- ')
|
||||
+ ifndef(`distro_gentoo', `
|
||||
+ allow $1 icinga2_unit_file_t:service all_service_perms;
|
||||
+ optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
+ ')
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue