fixed icinga policy

This commit is contained in:
Fredrik Eriksson 2020-05-23 12:58:52 +02:00
parent 4c31414327
commit 43fb666dc8
Signed by: feffe
GPG Key ID: 18524638BE25530A
2 changed files with 67 additions and 88 deletions

View File

@ -1,3 +1,3 @@
AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
AUX gentoonize.patch 4405 BLAKE2B 9821c6bfcbe06f6318173c02d1bf31f49a4e84214de8dcec471229246226603992b5fd251352f4d69a7e04c595d7aacbaa661323bc49fe162320fdc3e6d74520 SHA512 0eef0cb9d1a376bae75582eaca5daec42f833c79a8614839f6018d3ac6df5b0755ea2830727bf15df331566ecedd52de11850c5eb4a65981996d3886f6f461a0
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d

View File

@ -1,6 +1,6 @@
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 18:29:52.446884000 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 18:39:00.603857209 +0200
@@ -41,7 +41,6 @@
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-23 12:30:01.124718236 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-23 12:32:01.098712372 +0200
@@ -41,13 +41,14 @@
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
@ -8,122 +8,100 @@
type httpd_t; type system_mail_t;
type devlog_t;
role staff_r;
@@ -58,7 +57,6 @@
attribute unreserved_port_type;
}
+role icinga2adm_r;
+
type icinga2_t;
type icinga2_exec_t;
init_daemon_domain(icinga2_t, icinga2_exec_t)
@@ -58,7 +59,12 @@
init_script_file(icinga2_initrc_exec_t)
type icinga2_unit_file_t;
-systemd_unit_file(icinga2_unit_file_t)
+ifndef(`distro_gentoo', `
+ systemd_unit_file(icinga2_unit_file_t)
+')
+ifdef(`distro_gentoo', `
+ init_script_file(icinga2_unit_file_t)
+')
type icinga2_etc_t;
files_config_file(icinga2_etc_t)
@@ -155,7 +153,6 @@
@@ -155,7 +161,12 @@
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+optional_policy(`
+ gen_require(`
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
+ ')
+ icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+')
# should be moved nagios.te
nagios_plugin_template(notification)
@@ -176,7 +173,6 @@
@@ -176,7 +187,9 @@
')
icinga2_dontaudit_leaks_fifo(system_mail_t)
# hipsaint notification
-auth_read_passwd(nagios_notification_plugin_t)
+ifndef(`distro_gentoo', `
+ auth_read_passwd(nagios_notification_plugin_t)
+')
sysnet_read_config(nagios_notification_plugin_t)
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -216,19 +212,8 @@
@@ -216,16 +229,13 @@
selinux_compute_access_vector(icinga2_t)
dbus_send_system_bus(icinga2_t)
- dbus_stream_connect_system_dbusd(icinga2_t)
- systemd_dbus_chat_logind(icinga2_t)
- # Without this it works but is very slow
- systemd_write_inherited_logind_sessions_pipes(icinga2_t)
systemd_dbus_chat_logind(icinga2_t)
# Without this it works but is very slow
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
')
-optional_policy(`
optional_policy(`
- tunable_policy(`icinga2_run_sudo',`
- sudo_exec(icinga2_t)
- ')
-')
-
-
+ tunable_policy(`icinga2_run_sudo')
')
########################################
#
@@ -254,6 +239,8 @@
# Icinga2 Admin Role
#
+role icinga2adm_r;
+
userdom_unpriv_user_template(icinga2adm)
icinga2_admin(icinga2adm_t, icinga2adm_r)
@@ -271,5 +258,27 @@
@@ -271,5 +281,10 @@
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+optional_policy(`
+ gen_require(`
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
+ ')
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+')
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
+
+# Feffestuff
+optional_policy(`
+ gen_require(`
+ type virt_var_lib_t;
+ type virt_image_t;
+ ')
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
+')
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
+search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
+
+optional_policy(`
+ gen_require(`
+ type postfix_data_t;
+ ')
+ list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
+ exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
+ postfix_exec_master(nagios_mail_plugin_t)
+ postfix_domtrans_postqueue(nagios_mail_plugin_t)
+')
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 18:44:49.111840177 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 18:45:18.317838749 +0200
@@ -40,30 +40,6 @@
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-23 12:30:13.197717646 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-23 12:31:03.445715190 +0200
@@ -54,9 +54,11 @@
type icinga2_unit_file_t;
')
########################################
## <summary>
-## Execute icinga2 daemon in the icinga2 domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`icinga2_systemctl',`
- gen_require(`
- type icinga2_t;
- type icinga2_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- allow $1 icinga2_unit_file_t:file read_file_perms;
+ ifndef(`distro_gentoo', `
+ systemd_exec_systemctl($1)
+ allow $1 icinga2_unit_file_t:service manage_service_perms;
+ ')
allow $1 icinga2_unit_file_t:file read_file_perms;
- allow $1 icinga2_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, icinga2_t)
- init_dbus_chat($1)
-')
-
-########################################
-## <summary>
## Allow the specified domain to read
## icinga2 configuration files.
## </summary>
@@ -289,7 +265,7 @@
ps_process_pattern($1, icinga2_t)
init_dbus_chat($1)
@@ -289,7 +291,7 @@
allow $1 icinga2_t:process { signal_perms };
ps_process_pattern($1, icinga2_t)
@ -132,18 +110,19 @@
allow $1 icinga2_t:process ptrace;
')
@@ -312,14 +288,8 @@
admin_pattern($1, icinga2_spool_t)
admin_pattern($1, icinga2_cache_t)
@@ -314,11 +316,13 @@
- icinga2_systemctl($1)
icinga2_systemctl($1)
admin_pattern($1, icinga2_unit_file_t)
- allow $1 icinga2_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
+ ifndef(`distro_gentoo', `
+ allow $1 icinga2_unit_file_t:service all_service_perms;
+ optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
+ ')
')
')
########################################