From 7bbb5e50fac01f921bf11bc6013e68a3a3e99506 Mon Sep 17 00:00:00 2001 From: Fredrik Eriksson Date: Sun, 17 May 2020 15:26:12 +0200 Subject: [PATCH] add icinga selinux policy and make icinga depend on it --- net-analyzer/icinga2/Manifest | 2 + net-analyzer/icinga2/icinga2-2.11.3.ebuild | 170 ++++++++++++++++++ sec-policy/selinux-icinga2/Manifest | 3 + .../selinux-icinga2/files/gentoonize.patch | 114 ++++++++++++ .../selinux-icinga2-2.11.3.ebuild | 53 ++++++ 5 files changed, 342 insertions(+) create mode 100644 net-analyzer/icinga2/Manifest create mode 100644 net-analyzer/icinga2/icinga2-2.11.3.ebuild create mode 100644 sec-policy/selinux-icinga2/Manifest create mode 100644 sec-policy/selinux-icinga2/files/gentoonize.patch create mode 100644 sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild diff --git a/net-analyzer/icinga2/Manifest b/net-analyzer/icinga2/Manifest new file mode 100644 index 0000000..b1e5773 --- /dev/null +++ b/net-analyzer/icinga2/Manifest @@ -0,0 +1,2 @@ +DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1 +EBUILD icinga2-2.11.3.ebuild 4615 BLAKE2B 15e2025925303b103de145a66ba3a04881cf6957e0f0ff6fcf5082ec5b47180cb06dcbc2f14dcf2bd9f0d1735c532a0980bb1d03f6ede46af07fdf7c3d064dff SHA512 2b365a8c1e5a14c528ea572e19a498f56389c32141a7e64d7e2af07095880986bc889fbc6a4b32ed1c71180b08579720c5bcfd6ec7ffd99abfa17fe8e59cb1a6 diff --git a/net-analyzer/icinga2/icinga2-2.11.3.ebuild b/net-analyzer/icinga2/icinga2-2.11.3.ebuild new file mode 100644 index 0000000..ffc1480 --- /dev/null +++ b/net-analyzer/icinga2/icinga2-2.11.3.ebuild @@ -0,0 +1,170 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +if [[ ${PV} != 9999 ]]; then + inherit cmake-utils depend.apache eutils systemd toolchain-funcs wxwidgets + SRC_URI="https://github.com/Icinga/icinga2/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="amd64 ~arm64 x86" +else + inherit cmake-utils depend.apache eutils git-r3 systemd toolchain-funcs wxwidgets + EGIT_REPO_URI="https://github.com/Icinga/icinga2.git" + EGIT_BRANCH="master" +fi + +DESCRIPTION="Distributed, general purpose, network monitoring engine" +HOMEPAGE="http://icinga.org/icinga2" + +LICENSE="GPL-2" +SLOT="0" +IUSE="console libressl lto mail mariadb minimal +mysql nano-syntax +plugins postgres selinux systemd +vim-syntax" +WX_GTK_VER="3.0" + +CDEPEND=" + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + >=dev-libs/boost-1.66.0:=[context] + console? ( dev-libs/libedit ) + mariadb? ( dev-db/mariadb-connector-c:= ) + mysql? ( dev-db/mysql-connector-c:= ) + postgres? ( dev-db/postgresql:= ) + dev-libs/yajl" + +DEPEND=" + ${CDEPEND} + selinux? ( sec-policy/selinux-icinga2 ) + sys-devel/bison + >=sys-devel/flex-2.5.35" + +RDEPEND=" + ${CDEPEND} + plugins? ( || ( + net-analyzer/monitoring-plugins + net-analyzer/nagios-plugins + ) ) + mail? ( virtual/mailx ) + acct-user/icinga + acct-group/icinga + acct-group/icingacmd + acct-group/nagios" + +REQUIRED_USE="!minimal? ( || ( mariadb mysql postgres ) )" + +want_apache2 + +pkg_setup() { + depend.apache_pkg_setup +} + +src_configure() { + sed -i 's/FLAGS\}\ \-g/FLAGS\}\ \-lpthread\ /g' CMakeLists.txt || die + local mycmakeargs=( + -DICINGA2_UNITY_BUILD=FALSE + -DCMAKE_VERBOSE_MAKEFILE=ON + -DCMAKE_BUILD_TYPE=None + -DCMAKE_INSTALL_SYSCONFDIR=/etc + -DCMAKE_INSTALL_LOCALSTATEDIR=/var + -DICINGA2_SYSCONFIGFILE=/etc/conf.d/icinga2 + -DICINGA2_PLUGINDIR="/usr/$(get_libdir)/nagios/plugins" + -DICINGA2_USER=icinga + -DICINGA2_GROUP=icingacmd + -DICINGA2_COMMAND_GROUP=icingacmd + -DINSTALL_SYSTEMD_SERVICE_AND_INITSCRIPT=yes + -DUSE_SYSTEMD=$(usex systemd ON OFF) + -DLOGROTATE_HAS_SU=ON + ) + # default to off if minimal, allow the flags to be set otherwise + if use minimal; then + mycmakeargs+=( + -DICINGA2_WITH_MYSQL=OFF + -DICINGA2_WITH_PGSQL=OFF + ) + else + mycmakeargs+=( + -DICINGA2_WITH_PGSQL=$(usex postgres ON OFF) + -DICINGA2_WITH_MYSQL=$(usex mysql ON OFF) + ) + fi + # LTO + if use lto; then + mycmakeargs+=( + -DICINGA2_LTO_BUILD=ON + ) + else + mycmakeargs+=( + -DICINGA2_LTO_BUILD=OFF + ) + fi + + cmake-utils_src_configure +} + +src_install() { + BUILDDIR="${WORKDIR}"/icinga2-${PV}_build + cd "${BUILDDIR}" || die + + emake DESTDIR="${D}" install + + einstalldocs + + newinitd "${FILESDIR}"/icinga2.initd-3 icinga2 + + if use mysql ; then + docinto schema + newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/mysql.sql mysql.sql + docinto schema/upgrade + dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/upgrade/* + fi + if use mariadb ; then # same as mysql + docinto schema + newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/mysql.sql mysql.sql + docinto schema/upgrade + dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_mysql/schema/upgrade/* + fi + if use postgres ; then + docinto schema + newdoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_pgsql/schema/pgsql.sql pgsql.sql + docinto schema/upgrade + dodoc "${WORKDIR}"/icinga2-${PV}/lib/db_ido_pgsql/schema/upgrade/* + fi + + keepdir /etc/icinga2 + keepdir /var/lib/icinga2/api/zones + keepdir /var/lib/icinga2/api/repository + keepdir /var/lib/icinga2/api/log + keepdir /var/spool/icinga2/perfdata + + rm -r "${D}/var/run" || die "failed to remove /var/run" + rm -r "${D}/var/cache" || die "failed to remove /var/cache" + + fowners root:icinga /etc/icinga2 + fperms 0750 /etc/icinga2 + fowners icinga:icinga /var/lib/icinga2 + fowners icinga:icinga /var/spool/icinga2 + fowners -R icinga:icingacmd /var/lib/icinga2/api + fowners icinga:icinga /var/spool/icinga2/perfdata + fowners icinga:icingacmd /var/log/icinga2 + + fperms ug+rwX,o-rwx /etc/icinga2 + fperms ug+rwX,o-rwx /var/lib/icinga2 + fperms ug+rwX,o-rwx /var/spool/icinga2 + fperms ug+rwX,o-rwx /var/log/icinga2 + + if use vim-syntax; then + insinto /usr/share/vim/vimfiles + doins -r "${WORKDIR}"/${P}/tools/syntax/vim/ftdetect + doins -r "${WORKDIR}"/${P}/tools/syntax/vim/syntax + fi + + if use nano-syntax; then + insinto /usr/share/nano + doins "${WORKDIR}"/${P}/tools/syntax/nano/icinga2.nanorc + fi +} + +pkg_postinst() { + if [[ ${PV} != 9999 && -n ${REPLACING_VERSIONS} && ${REPLACING_VERSIONS} != ${PV} ]]; then + elog "DB IDO schema upgrade may be required required. + https://www.icinga.com/docs/icinga2/latest/doc/16-upgrading-icinga-2/" + fi +} diff --git a/sec-policy/selinux-icinga2/Manifest b/sec-policy/selinux-icinga2/Manifest new file mode 100644 index 0000000..9f47f29 --- /dev/null +++ b/sec-policy/selinux-icinga2/Manifest @@ -0,0 +1,3 @@ +AUX gentoonize.patch 3569 BLAKE2B 74c61ba9ae303e2cc7eb6496ea16d6ba534879618b34021cee0d489b459ea92eb0bdc0df7a91e56660c26525ece2d401b600be62a05be82ded98557fc82e27ed SHA512 bcaedd688e81c0bcc92c3cc207680b59e3cead3bc5e6e5503fb3feacb073484215d1584574aa407e4889c4fded3d6010b7d49fa0a10ea6b96bd32cebe63c7b84 +DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1 +EBUILD selinux-icinga2-2.11.3.ebuild 1071 BLAKE2B e65ac5f13b2dc0bd4c78ca1234dc1e4f4fc62265f1e0fa6fb4cd5fadff5429255b29000277b49fc4d3e94db8b48f09d4c866854e6157f6fff8f5c32270ee58c6 SHA512 12e7311ba0a229e6f7872770693be2dd37e6ce2887f3f7a627cb3602b542faf14f51fe75f8faa2d5d990e1ebd175fa8682bb38499a774f6d6bd8183142a03f13 diff --git a/sec-policy/selinux-icinga2/files/gentoonize.patch b/sec-policy/selinux-icinga2/files/gentoonize.patch new file mode 100644 index 0000000..f64ce13 --- /dev/null +++ b/sec-policy/selinux-icinga2/files/gentoonize.patch @@ -0,0 +1,114 @@ +--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 12:42:51.052067797 +0200 ++++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 12:51:19.989106989 +0200 +@@ -58,7 +58,6 @@ + init_script_file(icinga2_initrc_exec_t) + + type icinga2_unit_file_t; +-systemd_unit_file(icinga2_unit_file_t) + + type icinga2_etc_t; + files_config_file(icinga2_etc_t) +@@ -176,7 +175,6 @@ + ') + icinga2_dontaudit_leaks_fifo(system_mail_t) + # hipsaint notification +-auth_read_passwd(nagios_notification_plugin_t) + sysnet_read_config(nagios_notification_plugin_t) + allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms; + allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -216,20 +214,9 @@ + selinux_compute_access_vector(icinga2_t) + + dbus_send_system_bus(icinga2_t) +- dbus_stream_connect_system_dbusd(icinga2_t) +- systemd_dbus_chat_logind(icinga2_t) +- # Without this it works but is very slow +- systemd_write_inherited_logind_sessions_pipes(icinga2_t) +-') +- +-optional_policy(` +- tunable_policy(`icinga2_run_sudo',` +- sudo_exec(icinga2_t) +- ') + ') + + +- + ######################################## + # + # Icinga Webinterfaces +@@ -273,3 +260,26 @@ + icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) + icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) + icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) ++ ++# Feffestuff ++optional_policy(` ++ gen_require(` ++ type virt_var_lib_t; ++ type virt_image_t; ++ ') ++ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t) ++ search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t) ++') ++search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t) ++search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t) ++search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t) ++ ++optional_policy(` ++ gen_require(` ++ type postfix_data_t; ++ ') ++ list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t) ++ exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t) ++ postfix_exec_master(nagios_mail_plugin_t) ++ postfix_domtrans_postqueue(nagios_mail_plugin_t) ++') +--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 12:42:59.181068423 +0200 ++++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 12:44:26.659075160 +0200 +@@ -40,30 +40,6 @@ + + ######################################## + ## +-## Execute icinga2 daemon in the icinga2 domain. +-## +-## +-## +-## Domain allowed to transition. +-## +-## +-# +-interface(`icinga2_systemctl',` +- gen_require(` +- type icinga2_t; +- type icinga2_unit_file_t; +- ') +- +- systemd_exec_systemctl($1) +- allow $1 icinga2_unit_file_t:file read_file_perms; +- allow $1 icinga2_unit_file_t:service manage_service_perms; +- +- ps_process_pattern($1, icinga2_t) +- init_dbus_chat($1) +-') +- +-######################################## +-## + ## Allow the specified domain to read + ## icinga2 configuration files. + ## +@@ -312,14 +288,8 @@ + admin_pattern($1, icinga2_spool_t) + admin_pattern($1, icinga2_cache_t) + +- icinga2_systemctl($1) + admin_pattern($1, icinga2_unit_file_t) +- allow $1 icinga2_unit_file_t:service all_service_perms; + +- optional_policy(` +- systemd_passwd_agent_exec($1) +- systemd_read_fifo_file_passwd_run($1) +- ') + ') + + ######################################## diff --git a/sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild b/sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild new file mode 100644 index 0000000..ad9093a --- /dev/null +++ b/sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild @@ -0,0 +1,53 @@ +# Copyright 2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DESCRIPTION="SELinux policy for icinga2" +HOMEPAGE="http://icinga.org/icinga2" +SRC_URI="https://github.com/Icinga/icinga2/archive/v${PV}.tar.gz -> icinga2-${PV}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" + +DEPEND="" +RDEPEND="${DEPEND}" +BDEPEND="" + +S="${WORKDIR}/icinga2-${PV}" + +PATCHES=( + ${FILESDIR}/gentoonize.patch +) + +src_compile() { + cd "${S}/tools/selinux" + for i in ${POLICY_TYPES}; do + make -f "${ROOT%/}/usr/share/selinux/${i}/include/Makefile" + mv icinga2.pp icinga2-${i}.pp + done +} + +src_install() { + for i in ${POLICY_TYPES}; do + mkdir -p "${D}/usr/share/selinux/${i}" + mv "${S}/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp" + done +} + + +pkg_postinst() { + for i in ${POLICY_TYPES}; do + cd "${ROOT%/}/usr/share/selinux/${i}" + semodule -s ${i} -i icinga2.pp + done +} + +pkg_postrm() { + for i in ${POLICY_TYPES}; do + if semodule -s "${i}" -l | grep icinga2 >/dev/null 2>&1; then + semodule -s ${i} -r icinga2 + fi + done +}