add icinga selinux policy and make icinga depend on it

2020-05-17 15:26:12 +02:00 · 2020-05-17 15:26:12 +02:00 · 7bbb5e50fa
parent c3b67af250
commit 7bbb5e50fa
5 changed files with 342 additions and 0 deletions
--- a/net-analyzer/icinga2/Manifest
+++ b/net-analyzer/icinga2/Manifest
@ -0,0 +1,2 @@
+DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
+EBUILD icinga2-2.11.3.ebuild 4615 BLAKE2B 15e2025925303b103de145a66ba3a04881cf6957e0f0ff6fcf5082ec5b47180cb06dcbc2f14dcf2bd9f0d1735c532a0980bb1d03f6ede46af07fdf7c3d064dff SHA512 2b365a8c1e5a14c528ea572e19a498f56389c32141a7e64d7e2af07095880986bc889fbc6a4b32ed1c71180b08579720c5bcfd6ec7ffd99abfa17fe8e59cb1a6
--- a/net-analyzer/icinga2/icinga2-2.11.3.ebuild
+++ b/net-analyzer/icinga2/icinga2-2.11.3.ebuild
@ -0,0 +1,170 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+if [[ ${PV} != 9999 ]]; then
+	inherit cmake-utils depend.apache eutils systemd toolchain-funcs wxwidgets
+	SRC_URI="https://github.com/Icinga/icinga2/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="amd64 ~arm64 x86"
+else
+	inherit cmake-utils depend.apache eutils git-r3 systemd toolchain-funcs wxwidgets
+	EGIT_REPO_URI="https://github.com/Icinga/icinga2.git"
+	EGIT_BRANCH="master"
+fi
+
+DESCRIPTION="Distributed, general purpose, network monitoring engine"
+HOMEPAGE="http://icinga.org/icinga2"
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="console libressl lto mail mariadb minimal +mysql nano-syntax +plugins postgres selinux systemd +vim-syntax"
+WX_GTK_VER="3.0"
+
+CDEPEND="
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )
+	>=dev-libs/boost-1.66.0:=[context]
+	console? ( dev-libs/libedit )
+	mariadb? ( dev-db/mariadb-connector-c:= )
+	mysql? ( dev-db/mysql-connector-c:= )
+	postgres? ( dev-db/postgresql:= )
+	dev-libs/yajl"
+
+DEPEND="
+	${CDEPEND}
+	selinux? ( sec-policy/selinux-icinga2 )
+	sys-devel/bison
+	>=sys-devel/flex-2.5.35"
+
+RDEPEND="
+	${CDEPEND}
+	plugins? ( || (
+		net-analyzer/monitoring-plugins
+		net-analyzer/nagios-plugins
+	) )
+	mail? ( virtual/mailx )
+	acct-user/icinga
+	acct-group/icinga
+	acct-group/icingacmd
+	acct-group/nagios"
+
+REQUIRED_USE="!minimal? ( || ( mariadb mysql postgres ) )"
+
+want_apache2
+
+pkg_setup() {
+	depend.apache_pkg_setup
+}
+
+src_configure() {
+	sed -i 's/FLAGS\}\ \-g/FLAGS\}\ \-lpthread\ /g' CMakeLists.txt || die
+	local mycmakeargs=(
+		-DICINGA2_UNITY_BUILD=FALSE
+		-DCMAKE_VERBOSE_MAKEFILE=ON
+		-DCMAKE_BUILD_TYPE=None
+		-DCMAKE_INSTALL_SYSCONFDIR=/etc
+		-DCMAKE_INSTALL_LOCALSTATEDIR=/var
+		-DICINGA2_SYSCONFIGFILE=/etc/conf.d/icinga2
+		-DICINGA2_PLUGINDIR="/usr/$(get_libdir)/nagios/plugins"
+		-DICINGA2_USER=icinga
+		-DICINGA2_GROUP=icingacmd
+		-DICINGA2_COMMAND_GROUP=icingacmd
+		-DINSTALL_SYSTEMD_SERVICE_AND_INITSCRIPT=yes
+		-DUSE_SYSTEMD=$(usex systemd ON OFF)
+		-DLOGROTATE_HAS_SU=ON
+	)
+	# default to off if minimal, allow the flags to be set otherwise
+	if use minimal; then
+		mycmakeargs+=(
+			-DICINGA2_WITH_MYSQL=OFF
+			-DICINGA2_WITH_PGSQL=OFF
+		)
+	else
+		mycmakeargs+=(
+			-DICINGA2_WITH_PGSQL=$(usex postgres ON OFF)
+			-DICINGA2_WITH_MYSQL=$(usex mysql ON OFF)
+		)
+	fi
+	# LTO
+	if use lto; then
+		mycmakeargs+=(
+			-DICINGA2_LTO_BUILD=ON
+		)
+	else
+		mycmakeargs+=(
+			-DICINGA2_LTO_BUILD=OFF
+		)
+	fi
+
+	cmake-utils_src_configure
+}
+
+src_install() {
+	BUILDDIR="${WORKDIR}"/icinga2-${PV}_build
+	cd "${BUILDDIR}" || die
+
+	emake DESTDIR="${D}" install
+
+	einstalldocs
+
+	newinitd "${FILESDIR}"/icinga2.initd-3 icinga2
+
+	if use mysql ; then
+		docinto schema
+		newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/mysql.sql mysql.sql
+		docinto schema/upgrade
+		dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/upgrade/*
+	fi
+	if use mariadb ; then  # same as mysql
+		docinto schema
+		newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/mysql.sql mysql.sql
+		docinto schema/upgrade
+		dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/upgrade/*
+	fi
+	if use postgres ; then
+		docinto schema
+		newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_pgsql/schema/pgsql.sql pgsql.sql
+		docinto schema/upgrade
+		dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_pgsql/schema/upgrade/*
+	fi
+
+	keepdir /etc/icinga2
+	keepdir /var/lib/icinga2/api/zones
+	keepdir /var/lib/icinga2/api/repository
+	keepdir /var/lib/icinga2/api/log
+	keepdir /var/spool/icinga2/perfdata
+
+	rm -r "${D}/var/run" || die "failed to remove /var/run"
+	rm -r "${D}/var/cache" || die "failed to remove /var/cache"
+
+	fowners root:icinga /etc/icinga2
+	fperms 0750 /etc/icinga2
+	fowners icinga:icinga /var/lib/icinga2
+	fowners icinga:icinga /var/spool/icinga2
+	fowners -R icinga:icingacmd /var/lib/icinga2/api
+	fowners icinga:icinga /var/spool/icinga2/perfdata
+	fowners icinga:icingacmd /var/log/icinga2
+
+	fperms ug+rwX,o-rwx /etc/icinga2
+	fperms ug+rwX,o-rwx /var/lib/icinga2
+	fperms ug+rwX,o-rwx /var/spool/icinga2
+	fperms ug+rwX,o-rwx /var/log/icinga2
+
+	if use vim-syntax; then
+		insinto /usr/share/vim/vimfiles
+		doins -r "${WORKDIR}"/${P}/tools/syntax/vim/ftdetect
+		doins -r "${WORKDIR}"/${P}/tools/syntax/vim/syntax
+	fi
+
+	if use nano-syntax; then
+		insinto /usr/share/nano
+		doins "${WORKDIR}"/${P}/tools/syntax/nano/icinga2.nanorc
+	fi
+}
+
+pkg_postinst() {
+	if [[ ${PV} != 9999 && -n ${REPLACING_VERSIONS} && ${REPLACING_VERSIONS} != ${PV} ]]; then
+		elog "DB IDO schema upgrade may be required required.
+		https://www.icinga.com/docs/icinga2/latest/doc/16-upgrading-icinga-2/"
+	fi
+}
--- a/sec-policy/selinux-icinga2/Manifest
+++ b/sec-policy/selinux-icinga2/Manifest
@ -0,0 +1,3 @@
+AUX gentoonize.patch 3569 BLAKE2B 74c61ba9ae303e2cc7eb6496ea16d6ba534879618b34021cee0d489b459ea92eb0bdc0df7a91e56660c26525ece2d401b600be62a05be82ded98557fc82e27ed SHA512 bcaedd688e81c0bcc92c3cc207680b59e3cead3bc5e6e5503fb3feacb073484215d1584574aa407e4889c4fded3d6010b7d49fa0a10ea6b96bd32cebe63c7b84
+DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
+EBUILD selinux-icinga2-2.11.3.ebuild 1071 BLAKE2B e65ac5f13b2dc0bd4c78ca1234dc1e4f4fc62265f1e0fa6fb4cd5fadff5429255b29000277b49fc4d3e94db8b48f09d4c866854e6157f6fff8f5c32270ee58c6 SHA512 12e7311ba0a229e6f7872770693be2dd37e6ce2887f3f7a627cb3602b542faf14f51fe75f8faa2d5d990e1ebd175fa8682bb38499a774f6d6bd8183142a03f13
--- a/sec-policy/selinux-icinga2/files/gentoonize.patch
+++ b/sec-policy/selinux-icinga2/files/gentoonize.patch
@ -0,0 +1,114 @@
+--- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-17 12:42:51.052067797 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-17 12:51:19.989106989 +0200
+@@ -58,7 +58,6 @@
+ init_script_file(icinga2_initrc_exec_t)
+ 
+ type icinga2_unit_file_t;
+-systemd_unit_file(icinga2_unit_file_t)
+ 
+ type icinga2_etc_t;
+ files_config_file(icinga2_etc_t)
+@@ -176,7 +175,6 @@
+ ')
+ icinga2_dontaudit_leaks_fifo(system_mail_t)
+ # hipsaint notification
+-auth_read_passwd(nagios_notification_plugin_t)
+ sysnet_read_config(nagios_notification_plugin_t)
+ allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
+ allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -216,20 +214,9 @@
+     selinux_compute_access_vector(icinga2_t)
+ 
+     dbus_send_system_bus(icinga2_t)
+-    dbus_stream_connect_system_dbusd(icinga2_t)
+-    systemd_dbus_chat_logind(icinga2_t)
+-    # Without this it works but is very slow
+-    systemd_write_inherited_logind_sessions_pipes(icinga2_t)
+-')
+-
+-optional_policy(`
+-    tunable_policy(`icinga2_run_sudo',`
+-        sudo_exec(icinga2_t)
+-    ')
+ ')
+ 
+ 
+-
+ ########################################
+ #
+ # Icinga Webinterfaces
+@@ -273,3 +260,26 @@
+ icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+ icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
+
+# Feffestuff
+optional_policy(`
+	gen_require(`
+		type virt_var_lib_t;
+		type virt_image_t;
+	')
+	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
+	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
+')
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
+search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
+search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
+
+optional_policy(`
+	gen_require(`
+	  type postfix_data_t;
+	')
+	list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
+	exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
+	postfix_exec_master(nagios_mail_plugin_t)
+	postfix_domtrans_postqueue(nagios_mail_plugin_t)
+')
+--- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-17 12:42:59.181068423 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-17 12:44:26.659075160 +0200
+@@ -40,30 +40,6 @@
+ 
+ ########################################
+ ## <summary>
+-##      Execute icinga2 daemon in the icinga2 domain.
+-## </summary>
+-## <param name="domain">
+-##      <summary>
+-##      Domain allowed to transition.
+-##      </summary>
+-## </param>
+-#
+-interface(`icinga2_systemctl',`
+-        gen_require(`
+-                type icinga2_t;
+-                type icinga2_unit_file_t;
+-        ')
+-
+-        systemd_exec_systemctl($1)
+-        allow $1 icinga2_unit_file_t:file read_file_perms;
+-        allow $1 icinga2_unit_file_t:service manage_service_perms;
+-
+-        ps_process_pattern($1, icinga2_t)
+-	init_dbus_chat($1)
+-')
+-
+-########################################
+-## <summary>
+ ##      Allow the specified domain to read
+ ##      icinga2 configuration files.
+ ## </summary>
+@@ -312,14 +288,8 @@
+ 	admin_pattern($1, icinga2_spool_t)
+ 	admin_pattern($1, icinga2_cache_t)
+ 
+-	icinga2_systemctl($1)
+ 	admin_pattern($1, icinga2_unit_file_t)
+-        allow $1 icinga2_unit_file_t:service all_service_perms;
+ 
+-	optional_policy(`
+-		systemd_passwd_agent_exec($1)
+-		systemd_read_fifo_file_passwd_run($1)
+-	')
+ ')
+ 
+ ########################################
--- a/sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild
+++ b/sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild
@ -0,0 +1,53 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DESCRIPTION="SELinux policy for icinga2"
+HOMEPAGE="http://icinga.org/icinga2"
+SRC_URI="https://github.com/Icinga/icinga2/archive/v${PV}.tar.gz -> icinga2-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND=""
+RDEPEND="${DEPEND}"
+BDEPEND=""
+
+S="${WORKDIR}/icinga2-${PV}"
+
+PATCHES=(
+	${FILESDIR}/gentoonize.patch
+)
+
+src_compile() {
+	cd "${S}/tools/selinux"
+	for i in ${POLICY_TYPES}; do
+		make -f "${ROOT%/}/usr/share/selinux/${i}/include/Makefile"
+		mv icinga2.pp icinga2-${i}.pp
+	done
+}
+
+src_install() {
+	for i in ${POLICY_TYPES}; do
+		mkdir -p "${D}/usr/share/selinux/${i}"
+		mv "${S}/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
+	done
+}
+
+
+pkg_postinst() {
+	for i in ${POLICY_TYPES}; do
+		cd "${ROOT%/}/usr/share/selinux/${i}"
+		semodule -s ${i} -i icinga2.pp
+	done
+}
+
+pkg_postrm() {
+	for i in ${POLICY_TYPES}; do
+		if semodule -s "${i}" -l | grep icinga2 >/dev/null 2>&1; then
+			semodule -s ${i} -r icinga2
+		fi
+	done
+}