add icinga selinux policy and make icinga depend on it

sec-policy/selinux-icinga2/Manifest

@@ -0,0 +1,3 @@
+AUX gentoonize.patch 3569 BLAKE2B 74c61ba9ae303e2cc7eb6496ea16d6ba534879618b34021cee0d489b459ea92eb0bdc0df7a91e56660c26525ece2d401b600be62a05be82ded98557fc82e27ed SHA512 bcaedd688e81c0bcc92c3cc207680b59e3cead3bc5e6e5503fb3feacb073484215d1584574aa407e4889c4fded3d6010b7d49fa0a10ea6b96bd32cebe63c7b84
+DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
+EBUILD selinux-icinga2-2.11.3.ebuild 1071 BLAKE2B e65ac5f13b2dc0bd4c78ca1234dc1e4f4fc62265f1e0fa6fb4cd5fadff5429255b29000277b49fc4d3e94db8b48f09d4c866854e6157f6fff8f5c32270ee58c6 SHA512 12e7311ba0a229e6f7872770693be2dd37e6ce2887f3f7a627cb3602b542faf14f51fe75f8faa2d5d990e1ebd175fa8682bb38499a774f6d6bd8183142a03f13

sec-policy/selinux-icinga2/files/gentoonize.patch

@@ -0,0 +1,114 @@
+--- icinga2-2.11.3/tools/selinux/icinga2.te.orig	2020-05-17 12:42:51.052067797 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.te	2020-05-17 12:51:19.989106989 +0200
+@@ -58,7 +58,6 @@
+ init_script_file(icinga2_initrc_exec_t)
+ 
+ type icinga2_unit_file_t;
+-systemd_unit_file(icinga2_unit_file_t)
+ 
+ type icinga2_etc_t;
+ files_config_file(icinga2_etc_t)
+@@ -176,7 +175,6 @@
+ ')
+ icinga2_dontaudit_leaks_fifo(system_mail_t)
+ # hipsaint notification
+-auth_read_passwd(nagios_notification_plugin_t)
+ sysnet_read_config(nagios_notification_plugin_t)
+ allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
+ allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -216,20 +214,9 @@
+     selinux_compute_access_vector(icinga2_t)
+ 
+     dbus_send_system_bus(icinga2_t)
+-    dbus_stream_connect_system_dbusd(icinga2_t)
+-    systemd_dbus_chat_logind(icinga2_t)
+-    # Without this it works but is very slow
+-    systemd_write_inherited_logind_sessions_pipes(icinga2_t)
+-')
+-
+-optional_policy(`
+-    tunable_policy(`icinga2_run_sudo',`
+-        sudo_exec(icinga2_t)
+-    ')
+ ')
+ 
+ 
+-
+ ########################################
+ #
+ # Icinga Webinterfaces
+@@ -273,3 +260,26 @@
+ icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
+ icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
++
++# Feffestuff
++optional_policy(`
++	gen_require(`
++		type virt_var_lib_t;
++		type virt_image_t;
++	')
++	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_var_lib_t, virt_var_lib_t)
++	search_dirs_pattern(nagios_checkdisk_plugin_t, virt_image_t, virt_image_t)
++')
++search_dirs_pattern(nagios_checkdisk_plugin_t, var_lib_t, var_lib_t)
++search_dirs_pattern(nagios_checkdisk_plugin_t, var_t, var_t)
++search_dirs_pattern(nagios_mail_plugin_t, var_lib_t, var_lib_t)
++
++optional_policy(`
++	gen_require(`
++	  type postfix_data_t;
++	')
++	list_dirs_pattern(nagios_mail_plugin_t, postfix_data_t, postfix_data_t)
++	exec_files_pattern(nagios_mail_plugin_t, bin_t, bin_t)
++	postfix_exec_master(nagios_mail_plugin_t)
++	postfix_domtrans_postqueue(nagios_mail_plugin_t)
++')
+--- icinga2-2.11.3/tools/selinux/icinga2.if.orig	2020-05-17 12:42:59.181068423 +0200
++++ icinga2-2.11.3/tools/selinux/icinga2.if	2020-05-17 12:44:26.659075160 +0200
+@@ -40,30 +40,6 @@
+ 
+ ########################################
+ ## <summary>
+-##      Execute icinga2 daemon in the icinga2 domain.
+-## </summary>
+-## <param name="domain">
+-##      <summary>
+-##      Domain allowed to transition.
+-##      </summary>
+-## </param>
+-#
+-interface(`icinga2_systemctl',`
+-        gen_require(`
+-                type icinga2_t;
+-                type icinga2_unit_file_t;
+-        ')
+-
+-        systemd_exec_systemctl($1)
+-        allow $1 icinga2_unit_file_t:file read_file_perms;
+-        allow $1 icinga2_unit_file_t:service manage_service_perms;
+-
+-        ps_process_pattern($1, icinga2_t)
+-	init_dbus_chat($1)
+-')
+-
+-########################################
+-## <summary>
+ ##      Allow the specified domain to read
+ ##      icinga2 configuration files.
+ ## </summary>
+@@ -312,14 +288,8 @@
+ 	admin_pattern($1, icinga2_spool_t)
+ 	admin_pattern($1, icinga2_cache_t)
+ 
+-	icinga2_systemctl($1)
+ 	admin_pattern($1, icinga2_unit_file_t)
+-        allow $1 icinga2_unit_file_t:service all_service_perms;
+ 
+-	optional_policy(`
+-		systemd_passwd_agent_exec($1)
+-		systemd_read_fifo_file_passwd_run($1)
+-	')
+ ')
+ 
+ ########################################

sec-policy/selinux-icinga2/selinux-icinga2-2.11.3.ebuild

@@ -0,0 +1,53 @@
+# Copyright 2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DESCRIPTION="SELinux policy for icinga2"
+HOMEPAGE="http://icinga.org/icinga2"
+SRC_URI="https://github.com/Icinga/icinga2/archive/v${PV}.tar.gz -> icinga2-${PV}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND=""
+RDEPEND="${DEPEND}"
+BDEPEND=""
+
+S="${WORKDIR}/icinga2-${PV}"
+
+PATCHES=(
+	${FILESDIR}/gentoonize.patch
+)
+
+src_compile() {
+	cd "${S}/tools/selinux"
+	for i in ${POLICY_TYPES}; do
+		make -f "${ROOT%/}/usr/share/selinux/${i}/include/Makefile"
+		mv icinga2.pp icinga2-${i}.pp
+	done
+}
+
+src_install() {
+	for i in ${POLICY_TYPES}; do
+		mkdir -p "${D}/usr/share/selinux/${i}"
+		mv "${S}/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
+	done
+}
+
+
+pkg_postinst() {
+	for i in ${POLICY_TYPES}; do
+		cd "${ROOT%/}/usr/share/selinux/${i}"
+		semodule -s ${i} -i icinga2.pp
+	done
+}
+
+pkg_postrm() {
+	for i in ${POLICY_TYPES}; do
+		if semodule -s "${i}" -l | grep icinga2 >/dev/null 2>&1; then
+			semodule -s ${i} -r icinga2
+		fi
+	done
+}