159 lines
5.4 KiB
Diff
159 lines
5.4 KiB
Diff
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-23 16:55:59.329080781 +0200
|
|
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-23 17:05:18.181127417 +0200
|
|
@@ -41,13 +41,19 @@
|
|
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
|
|
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
|
|
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
|
- type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
|
type httpd_t; type system_mail_t;
|
|
type devlog_t;
|
|
+ type sysadm_t;
|
|
+ type run_init_t;
|
|
+ type tmpfiles_t;
|
|
+ type var_t;
|
|
+ role sysadm_r;
|
|
role staff_r;
|
|
attribute unreserved_port_type;
|
|
}
|
|
|
|
+role icinga2adm_r;
|
|
+
|
|
type icinga2_t;
|
|
type icinga2_exec_t;
|
|
init_daemon_domain(icinga2_t, icinga2_exec_t)
|
|
@@ -58,7 +64,12 @@
|
|
init_script_file(icinga2_initrc_exec_t)
|
|
|
|
type icinga2_unit_file_t;
|
|
-systemd_unit_file(icinga2_unit_file_t)
|
|
+ifndef(`distro_gentoo', `
|
|
+ systemd_unit_file(icinga2_unit_file_t)
|
|
+')
|
|
+ifdef(`distro_gentoo', `
|
|
+ init_script_file(icinga2_unit_file_t)
|
|
+')
|
|
|
|
type icinga2_etc_t;
|
|
files_config_file(icinga2_etc_t)
|
|
@@ -89,6 +100,14 @@
|
|
typeattribute icinga2_port_t unreserved_port_type;
|
|
corenet_port(icinga2_port_t)
|
|
|
|
+corenet_tcp_bind_generic_node(icinga2_t)
|
|
+init_startstop_service(sysadm_t, sysadm_r, icinga2_t, icinga2_initrc_exec_t)
|
|
+domain_auto_transition_pattern(run_init_t, icinga2_exec_t, icinga2_t)
|
|
+manage_dirs_pattern(tmpfiles_t, var_t, icinga2_cache_t)
|
|
+manage_files_pattern(initrc_t, icinga2_log_t, icinga2_log_t)
|
|
+logging_send_syslog_msg(icinga2_t)
|
|
+dev_read_urand(icinga2_t)
|
|
+
|
|
########################################
|
|
#
|
|
# icinga2 local policy
|
|
@@ -155,7 +174,12 @@
|
|
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
|
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
|
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
|
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
|
+ ')
|
|
+ icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
|
+')
|
|
|
|
# should be moved nagios.te
|
|
nagios_plugin_template(notification)
|
|
@@ -176,7 +200,9 @@
|
|
')
|
|
icinga2_dontaudit_leaks_fifo(system_mail_t)
|
|
# hipsaint notification
|
|
-auth_read_passwd(nagios_notification_plugin_t)
|
|
+ifndef(`distro_gentoo', `
|
|
+ auth_read_passwd(nagios_notification_plugin_t)
|
|
+')
|
|
sysnet_read_config(nagios_notification_plugin_t)
|
|
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
|
|
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
@@ -216,16 +242,13 @@
|
|
selinux_compute_access_vector(icinga2_t)
|
|
|
|
dbus_send_system_bus(icinga2_t)
|
|
- dbus_stream_connect_system_dbusd(icinga2_t)
|
|
systemd_dbus_chat_logind(icinga2_t)
|
|
# Without this it works but is very slow
|
|
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- tunable_policy(`icinga2_run_sudo',`
|
|
- sudo_exec(icinga2_t)
|
|
- ')
|
|
+ tunable_policy(`icinga2_run_sudo')
|
|
')
|
|
|
|
|
|
@@ -271,5 +294,10 @@
|
|
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
|
|
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
|
|
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
|
|
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
|
+ ')
|
|
+ icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
|
|
+')
|
|
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
|
|
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-23 16:56:10.481081712 +0200
|
|
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-23 16:56:31.862083496 +0200
|
|
@@ -54,9 +54,11 @@
|
|
type icinga2_unit_file_t;
|
|
')
|
|
|
|
- systemd_exec_systemctl($1)
|
|
+ ifndef(`distro_gentoo', `
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 icinga2_unit_file_t:service manage_service_perms;
|
|
+ ')
|
|
allow $1 icinga2_unit_file_t:file read_file_perms;
|
|
- allow $1 icinga2_unit_file_t:service manage_service_perms;
|
|
|
|
ps_process_pattern($1, icinga2_t)
|
|
init_dbus_chat($1)
|
|
@@ -289,7 +291,7 @@
|
|
allow $1 icinga2_t:process { signal_perms };
|
|
ps_process_pattern($1, icinga2_t)
|
|
|
|
- tunable_policy(`deny_ptrace',`',`
|
|
+ tunable_policy(`allow_ptrace',`
|
|
allow $1 icinga2_t:process ptrace;
|
|
')
|
|
|
|
@@ -314,11 +316,13 @@
|
|
|
|
icinga2_systemctl($1)
|
|
admin_pattern($1, icinga2_unit_file_t)
|
|
- allow $1 icinga2_unit_file_t:service all_service_perms;
|
|
|
|
- optional_policy(`
|
|
+ ifndef(`distro_gentoo', `
|
|
+ allow $1 icinga2_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
systemd_passwd_agent_exec($1)
|
|
systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
')
|
|
|
|
--- icinga2-2.11.3/tools/selinux/icinga2.fc.orig 2020-05-23 17:19:17.224197435 +0200
|
|
+++ icinga2-2.11.3/tools/selinux/icinga2.fc 2020-05-23 17:20:00.709201064 +0200
|
|
@@ -3,6 +3,7 @@
|
|
/usr/lib/systemd/system/icinga2.* -- gen_context(system_u:object_r:icinga2_unit_file_t,s0)
|
|
|
|
/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
|
|
+/usr/share/icinga2/inc(lude)(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
|
|
|
|
/etc/icinga2/scripts(/.*)? -- gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
|
|
|