fixed icinga policy
This commit is contained in:
parent
4c31414327
commit
43fb666dc8
|
@ -1,3 +1,3 @@
|
||||||
AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
|
AUX gentoonize.patch 4405 BLAKE2B 9821c6bfcbe06f6318173c02d1bf31f49a4e84214de8dcec471229246226603992b5fd251352f4d69a7e04c595d7aacbaa661323bc49fe162320fdc3e6d74520 SHA512 0eef0cb9d1a376bae75582eaca5daec42f833c79a8614839f6018d3ac6df5b0755ea2830727bf15df331566ecedd52de11850c5eb4a65981996d3886f6f461a0
|
||||||
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
|
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
|
||||||
EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d
|
EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 18:29:52.446884000 +0200
|
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-23 12:30:01.124718236 +0200
|
||||||
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 18:39:00.603857209 +0200
|
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-23 12:32:01.098712372 +0200
|
||||||
@@ -41,7 +41,6 @@
|
@@ -41,13 +41,14 @@
|
||||||
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
|
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
|
||||||
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
|
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
|
||||||
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
||||||
|
@ -8,122 +8,100 @@
|
||||||
type httpd_t; type system_mail_t;
|
type httpd_t; type system_mail_t;
|
||||||
type devlog_t;
|
type devlog_t;
|
||||||
role staff_r;
|
role staff_r;
|
||||||
@@ -58,7 +57,6 @@
|
attribute unreserved_port_type;
|
||||||
|
}
|
||||||
|
|
||||||
|
+role icinga2adm_r;
|
||||||
|
+
|
||||||
|
type icinga2_t;
|
||||||
|
type icinga2_exec_t;
|
||||||
|
init_daemon_domain(icinga2_t, icinga2_exec_t)
|
||||||
|
@@ -58,7 +59,12 @@
|
||||||
init_script_file(icinga2_initrc_exec_t)
|
init_script_file(icinga2_initrc_exec_t)
|
||||||
|
|
||||||
type icinga2_unit_file_t;
|
type icinga2_unit_file_t;
|
||||||
-systemd_unit_file(icinga2_unit_file_t)
|
-systemd_unit_file(icinga2_unit_file_t)
|
||||||
|
+ifndef(`distro_gentoo', `
|
||||||
|
+ systemd_unit_file(icinga2_unit_file_t)
|
||||||
|
+')
|
||||||
|
+ifdef(`distro_gentoo', `
|
||||||
|
+ init_script_file(icinga2_unit_file_t)
|
||||||
|
+')
|
||||||
|
|
||||||
type icinga2_etc_t;
|
type icinga2_etc_t;
|
||||||
files_config_file(icinga2_etc_t)
|
files_config_file(icinga2_etc_t)
|
||||||
@@ -155,7 +153,6 @@
|
@@ -155,7 +161,12 @@
|
||||||
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
||||||
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
||||||
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
||||||
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||||
|
+optional_policy(`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||||
|
+ ')
|
||||||
|
+ icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||||
|
+')
|
||||||
|
|
||||||
# should be moved nagios.te
|
# should be moved nagios.te
|
||||||
nagios_plugin_template(notification)
|
nagios_plugin_template(notification)
|
||||||
@@ -176,7 +173,6 @@
|
@@ -176,7 +187,9 @@
|
||||||
')
|
')
|
||||||
icinga2_dontaudit_leaks_fifo(system_mail_t)
|
icinga2_dontaudit_leaks_fifo(system_mail_t)
|
||||||
# hipsaint notification
|
# hipsaint notification
|
||||||
-auth_read_passwd(nagios_notification_plugin_t)
|
-auth_read_passwd(nagios_notification_plugin_t)
|
||||||
|
+ifndef(`distro_gentoo', `
|
||||||
|
+ auth_read_passwd(nagios_notification_plugin_t)
|
||||||
|
+')
|
||||||
sysnet_read_config(nagios_notification_plugin_t)
|
sysnet_read_config(nagios_notification_plugin_t)
|
||||||
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
|
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
|
||||||
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
|
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
|
||||||
@@ -216,19 +212,8 @@
|
@@ -216,16 +229,13 @@
|
||||||
selinux_compute_access_vector(icinga2_t)
|
selinux_compute_access_vector(icinga2_t)
|
||||||
|
|
||||||
dbus_send_system_bus(icinga2_t)
|
dbus_send_system_bus(icinga2_t)
|
||||||
- dbus_stream_connect_system_dbusd(icinga2_t)
|
- dbus_stream_connect_system_dbusd(icinga2_t)
|
||||||
- systemd_dbus_chat_logind(icinga2_t)
|
systemd_dbus_chat_logind(icinga2_t)
|
||||||
- # Without this it works but is very slow
|
# Without this it works but is very slow
|
||||||
- systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-optional_policy(`
|
optional_policy(`
|
||||||
- tunable_policy(`icinga2_run_sudo',`
|
- tunable_policy(`icinga2_run_sudo',`
|
||||||
- sudo_exec(icinga2_t)
|
- sudo_exec(icinga2_t)
|
||||||
- ')
|
- ')
|
||||||
-')
|
+ tunable_policy(`icinga2_run_sudo')
|
||||||
-
|
')
|
||||||
-
|
|
||||||
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
@@ -254,6 +239,8 @@
|
|
||||||
# Icinga2 Admin Role
|
|
||||||
#
|
|
||||||
|
|
||||||
+role icinga2adm_r;
|
@@ -271,5 +281,10 @@
|
||||||
+
|
|
||||||
userdom_unpriv_user_template(icinga2adm)
|
|
||||||
|
|
||||||
icinga2_admin(icinga2adm_t, icinga2adm_r)
|
|
||||||
@@ -271,5 +258,27 @@
|
|
||||||
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
||||||
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
||||||
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
||||||
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||||
|
+optional_policy(`
|
||||||
|
+ gen_require(`
|
||||||
|
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||||
|
+ ')
|
||||||
|
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
||||||
|
+')
|
||||||
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
|
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
|
||||||
+
|
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-23 12:30:13.197717646 +0200
|
||||||
+# Feffestuff
|
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-23 12:31:03.445715190 +0200
|
||||||
+optional_policy(`
|
@@ -54,9 +54,11 @@
|
||||||
+ gen_require(`
|
type icinga2_unit_file_t;
|
||||||
+ type virt_var_lib_t;
|
')
|
||||||
+ type virt_image_t;
|
|
||||||
+ ')
|
|
||||||
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
|
|
||||||
+ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
|
|
||||||
+')
|
|
||||||
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
|
|
||||||
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
|
|
||||||
+search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
|
|
||||||
+
|
|
||||||
+optional_policy(`
|
|
||||||
+ gen_require(`
|
|
||||||
+ type postfix_data_t;
|
|
||||||
+ ')
|
|
||||||
+ list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
|
|
||||||
+ exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
|
|
||||||
+ postfix_exec_master(nagios_mail_plugin_t)
|
|
||||||
+ postfix_domtrans_postqueue(nagios_mail_plugin_t)
|
|
||||||
+')
|
|
||||||
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 18:44:49.111840177 +0200
|
|
||||||
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 18:45:18.317838749 +0200
|
|
||||||
@@ -40,30 +40,6 @@
|
|
||||||
|
|
||||||
########################################
|
|
||||||
## <summary>
|
|
||||||
-## Execute icinga2 daemon in the icinga2 domain.
|
|
||||||
-## </summary>
|
|
||||||
-## <param name="domain">
|
|
||||||
-## <summary>
|
|
||||||
-## Domain allowed to transition.
|
|
||||||
-## </summary>
|
|
||||||
-## </param>
|
|
||||||
-#
|
|
||||||
-interface(`icinga2_systemctl',`
|
|
||||||
- gen_require(`
|
|
||||||
- type icinga2_t;
|
|
||||||
- type icinga2_unit_file_t;
|
|
||||||
- ')
|
|
||||||
-
|
|
||||||
- systemd_exec_systemctl($1)
|
- systemd_exec_systemctl($1)
|
||||||
- allow $1 icinga2_unit_file_t:file read_file_perms;
|
+ ifndef(`distro_gentoo', `
|
||||||
|
+ systemd_exec_systemctl($1)
|
||||||
|
+ allow $1 icinga2_unit_file_t:service manage_service_perms;
|
||||||
|
+ ')
|
||||||
|
allow $1 icinga2_unit_file_t:file read_file_perms;
|
||||||
- allow $1 icinga2_unit_file_t:service manage_service_perms;
|
- allow $1 icinga2_unit_file_t:service manage_service_perms;
|
||||||
-
|
|
||||||
- ps_process_pattern($1, icinga2_t)
|
ps_process_pattern($1, icinga2_t)
|
||||||
- init_dbus_chat($1)
|
init_dbus_chat($1)
|
||||||
-')
|
@@ -289,7 +291,7 @@
|
||||||
-
|
|
||||||
-########################################
|
|
||||||
-## <summary>
|
|
||||||
## Allow the specified domain to read
|
|
||||||
## icinga2 configuration files.
|
|
||||||
## </summary>
|
|
||||||
@@ -289,7 +265,7 @@
|
|
||||||
allow $1 icinga2_t:process { signal_perms };
|
allow $1 icinga2_t:process { signal_perms };
|
||||||
ps_process_pattern($1, icinga2_t)
|
ps_process_pattern($1, icinga2_t)
|
||||||
|
|
||||||
|
@ -132,18 +110,19 @@
|
||||||
allow $1 icinga2_t:process ptrace;
|
allow $1 icinga2_t:process ptrace;
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -312,14 +288,8 @@
|
@@ -314,11 +316,13 @@
|
||||||
admin_pattern($1, icinga2_spool_t)
|
|
||||||
admin_pattern($1, icinga2_cache_t)
|
|
||||||
|
|
||||||
- icinga2_systemctl($1)
|
icinga2_systemctl($1)
|
||||||
admin_pattern($1, icinga2_unit_file_t)
|
admin_pattern($1, icinga2_unit_file_t)
|
||||||
- allow $1 icinga2_unit_file_t:service all_service_perms;
|
- allow $1 icinga2_unit_file_t:service all_service_perms;
|
||||||
|
|
||||||
- optional_policy(`
|
- optional_policy(`
|
||||||
- systemd_passwd_agent_exec($1)
|
+ ifndef(`distro_gentoo', `
|
||||||
- systemd_read_fifo_file_passwd_run($1)
|
+ allow $1 icinga2_unit_file_t:service all_service_perms;
|
||||||
- ')
|
+ optional_policy(`
|
||||||
|
systemd_passwd_agent_exec($1)
|
||||||
|
systemd_read_fifo_file_passwd_run($1)
|
||||||
|
+ ')
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
|
||||||
|
|
Loading…
Reference in New Issue