From 43fb666dc8d1e8865d5331f032123082768ffe65 Mon Sep 17 00:00:00 2001
From: Fredrik Eriksson <feffe@fulh.ax>
Date: Sat, 23 May 2020 12:58:52 +0200
Subject: [PATCH] fixed icinga policy

---
 sec-policy/selinux-icinga2/Manifest           |   2 +-
 .../selinux-icinga2/files/gentoonize.patch    | 153 ++++++++----------
 2 files changed, 67 insertions(+), 88 deletions(-)

diff --git a/sec-policy/selinux-icinga2/Manifest b/sec-policy/selinux-icinga2/Manifest
index c5c0ae1..b54b51c 100644
--- a/sec-policy/selinux-icinga2/Manifest
+++ b/sec-policy/selinux-icinga2/Manifest
@@ -1,3 +1,3 @@
-AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
+AUX gentoonize.patch 4405 BLAKE2B 9821c6bfcbe06f6318173c02d1bf31f49a4e84214de8dcec471229246226603992b5fd251352f4d69a7e04c595d7aacbaa661323bc49fe162320fdc3e6d74520 SHA512 0eef0cb9d1a376bae75582eaca5daec42f833c79a8614839f6018d3ac6df5b0755ea2830727bf15df331566ecedd52de11850c5eb4a65981996d3886f6f461a0
 DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
 EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d
diff --git a/sec-policy/selinux-icinga2/files/gentoonize.patch b/sec-policy/selinux-icinga2/files/gentoonize.patch
index 86f177f..bc0dbdc 100644
--- a/sec-policy/selinux-icinga2/files/gentoonize.patch
+++ b/sec-policy/selinux-icinga2/files/gentoonize.patch
@@ -1,6 +1,6 @@
---- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-17 18:29:52.446884000 +0200
-+++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-17 18:39:00.603857209 +0200
-@@ -41,7 +41,6 @@
+--- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-23 12:30:01.124718236 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-23 12:32:01.098712372 +0200
+@@ -41,13 +41,14 @@
  	type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
  	type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
  	type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
@@ -8,122 +8,100 @@
  	type httpd_t; type system_mail_t;
  	type devlog_t;
  	role staff_r;
-@@ -58,7 +57,6 @@
+ 	attribute unreserved_port_type;
+ }
+ 
++role icinga2adm_r;
++
+ type icinga2_t;
+ type icinga2_exec_t;
+ init_daemon_domain(icinga2_t, icinga2_exec_t)
+@@ -58,7 +59,12 @@
  init_script_file(icinga2_initrc_exec_t)
  
  type icinga2_unit_file_t;
 -systemd_unit_file(icinga2_unit_file_t)
++ifndef(`distro_gentoo', `
++  systemd_unit_file(icinga2_unit_file_t)
++')
++ifdef(`distro_gentoo', `
++  init_script_file(icinga2_unit_file_t)
++')
  
  type icinga2_etc_t;
  files_config_file(icinga2_etc_t)
-@@ -155,7 +153,6 @@
+@@ -155,7 +161,12 @@
  icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
  icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
  icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
 -icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
++optional_policy(`
++  gen_require(`
++    type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
++  ')
++  icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
++')
  
  # should be moved nagios.te
  nagios_plugin_template(notification)
-@@ -176,7 +173,6 @@
+@@ -176,7 +187,9 @@
  ')
  icinga2_dontaudit_leaks_fifo(system_mail_t)
  # hipsaint notification
 -auth_read_passwd(nagios_notification_plugin_t)
++ifndef(`distro_gentoo', `
++  auth_read_passwd(nagios_notification_plugin_t)
++')
  sysnet_read_config(nagios_notification_plugin_t)
  allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
  allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
-@@ -216,19 +212,8 @@
+@@ -216,16 +229,13 @@
      selinux_compute_access_vector(icinga2_t)
  
      dbus_send_system_bus(icinga2_t)
 -    dbus_stream_connect_system_dbusd(icinga2_t)
--    systemd_dbus_chat_logind(icinga2_t)
--    # Without this it works but is very slow
--    systemd_write_inherited_logind_sessions_pipes(icinga2_t)
+     systemd_dbus_chat_logind(icinga2_t)
+     # Without this it works but is very slow
+     systemd_write_inherited_logind_sessions_pipes(icinga2_t)
  ')
  
--optional_policy(`
+ optional_policy(`
 -    tunable_policy(`icinga2_run_sudo',`
 -        sudo_exec(icinga2_t)
 -    ')
--')
--
--
++    tunable_policy(`icinga2_run_sudo')
+ ')
  
- ########################################
- #
-@@ -254,6 +239,8 @@
- # Icinga2 Admin Role
- #
  
-+role icinga2adm_r;
-+
- userdom_unpriv_user_template(icinga2adm)
- 
- icinga2_admin(icinga2adm_t, icinga2adm_r)
-@@ -271,5 +258,27 @@
+@@ -271,5 +281,10 @@
  icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
  icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
  icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
 -icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
++optional_policy(`
++  gen_require(`
++    type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
++  ')
++  icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
++')
  icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
-+
-+# Feffestuff
-+optional_policy(`
-+	gen_require(`
-+		type virt_var_lib_t;
-+		type virt_image_t;
-+	')
-+	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
-+	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
-+')
-+search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
-+search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
-+search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
-+
-+optional_policy(`
-+	gen_require(`
-+	  type postfix_data_t;
-+	')
-+	list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
-+	exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
-+	postfix_exec_master(nagios_mail_plugin_t)
-+	postfix_domtrans_postqueue(nagios_mail_plugin_t)
-+')
---- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-17 18:44:49.111840177 +0200
-+++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-17 18:45:18.317838749 +0200
-@@ -40,30 +40,6 @@
+--- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-23 12:30:13.197717646 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-23 12:31:03.445715190 +0200
+@@ -54,9 +54,11 @@
+                 type icinga2_unit_file_t;
+         ')
  
- ########################################
- ## <summary>
--##      Execute icinga2 daemon in the icinga2 domain.
--## </summary>
--## <param name="domain">
--##      <summary>
--##      Domain allowed to transition.
--##      </summary>
--## </param>
--#
--interface(`icinga2_systemctl',`
--        gen_require(`
--                type icinga2_t;
--                type icinga2_unit_file_t;
--        ')
--
 -        systemd_exec_systemctl($1)
--        allow $1 icinga2_unit_file_t:file read_file_perms;
++        ifndef(`distro_gentoo', `
++          systemd_exec_systemctl($1)
++          allow $1 icinga2_unit_file_t:service manage_service_perms;
++	')
+         allow $1 icinga2_unit_file_t:file read_file_perms;
 -        allow $1 icinga2_unit_file_t:service manage_service_perms;
--
--        ps_process_pattern($1, icinga2_t)
--	init_dbus_chat($1)
--')
--
--########################################
--## <summary>
- ##      Allow the specified domain to read
- ##      icinga2 configuration files.
- ## </summary>
-@@ -289,7 +265,7 @@
+ 
+         ps_process_pattern($1, icinga2_t)
+ 	init_dbus_chat($1)
+@@ -289,7 +291,7 @@
  	allow $1 icinga2_t:process { signal_perms };
  	ps_process_pattern($1, icinga2_t)
  
@@ -132,18 +110,19 @@
          allow $1 icinga2_t:process ptrace;
      ')
  
-@@ -312,14 +288,8 @@
- 	admin_pattern($1, icinga2_spool_t)
- 	admin_pattern($1, icinga2_cache_t)
+@@ -314,11 +316,13 @@
  
--	icinga2_systemctl($1)
+ 	icinga2_systemctl($1)
  	admin_pattern($1, icinga2_unit_file_t)
 -        allow $1 icinga2_unit_file_t:service all_service_perms;
  
 -	optional_policy(`
--		systemd_passwd_agent_exec($1)
--		systemd_read_fifo_file_passwd_run($1)
--	')
++        ifndef(`distro_gentoo', `
++          allow $1 icinga2_unit_file_t:service all_service_perms;
++	  optional_policy(`
+ 		systemd_passwd_agent_exec($1)
+ 		systemd_read_fifo_file_passwd_run($1)
++	  ')
+ 	')
  ')
  
- ########################################