Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign up| policy_module(icinga2, 0.2.2) | |
| ######################################## | |
| # | |
| # Declarations | |
| # | |
| ## <desc> | |
| ## <p> | |
| ## Allow Icinga 2 to connect to all ports | |
| ## </p> | |
| ## </desc> | |
| gen_tunable(icinga2_can_connect_all, false) | |
| ## <desc> | |
| ## <p> | |
| ## Allow Apache to connect to Icinga 2 API | |
| ## </p> | |
| ## </desc> | |
| gen_tunable(httpd_can_connect_icinga2_api, true) | |
| ## <desc> | |
| ## <p> | |
| ## Allow Apache to write into Icinga 2 Commandpipe | |
| ## </p> | |
| ## </desc> | |
| gen_tunable(httpd_can_write_icinga2_command, true) | |
| ## <desc> | |
| ## <p> | |
| ## Allow Icinga 2 to run plugins via sudo | |
| ## </p> | |
| ## </desc> | |
| gen_tunable(icinga2_run_sudo, false) | |
| require { | |
| type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t; | |
| type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t; | |
| type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t; | |
| type nagios_services_plugin_t; type nagios_services_plugin_exec_t; | |
| type nagios_system_plugin_t; type nagios_system_plugin_exec_t; | |
| type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t; | |
| type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; | |
| type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; | |
| type httpd_t; type system_mail_t; | |
| type devlog_t; | |
| role staff_r; | |
| attribute unreserved_port_type; | |
| } | |
| type icinga2_t; | |
| type icinga2_exec_t; | |
| init_daemon_domain(icinga2_t, icinga2_exec_t) | |
| #permissive icinga2_t; | |
| type icinga2_initrc_exec_t; | |
| init_script_file(icinga2_initrc_exec_t) | |
| type icinga2_unit_file_t; | |
| systemd_unit_file(icinga2_unit_file_t) | |
| type icinga2_etc_t; | |
| files_config_file(icinga2_etc_t) | |
| type icinga2_log_t; | |
| logging_log_file(icinga2_log_t) | |
| type icinga2_var_lib_t; | |
| files_type(icinga2_var_lib_t) | |
| type icinga2_var_run_t; | |
| files_pid_file(icinga2_var_run_t) | |
| type icinga2_command_t; | |
| files_type(icinga2_command_t) | |
| type icinga2_spool_t; | |
| files_type(icinga2_spool_t) | |
| type icinga2_cache_t; | |
| files_type(icinga2_cache_t) | |
| type icinga2_tmp_t; | |
| files_tmp_file(icinga2_tmp_t) | |
| type icinga2_port_t; | |
| # There is no interface for unreserved_port_type | |
| typeattribute icinga2_port_t unreserved_port_type; | |
| corenet_port(icinga2_port_t) | |
| ######################################## | |
| # | |
| # icinga2 local policy | |
| # | |
| allow icinga2_t self:capability { setgid setuid sys_resource kill }; | |
| allow icinga2_t self:process { setsched signal setrlimit }; | |
| allow icinga2_t self:fifo_file rw_fifo_file_perms; | |
| allow icinga2_t self:unix_dgram_socket create_socket_perms; | |
| allow icinga2_t self:unix_stream_socket create_stream_socket_perms; | |
| allow icinga2_t icinga2_exec_t:file execute_no_trans; | |
| list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) | |
| read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) | |
| read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) | |
| manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) | |
| manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) | |
| manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) | |
| logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file }) | |
| manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) | |
| manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) | |
| manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) | |
| files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file }) | |
| manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) | |
| manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) | |
| files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file }) | |
| manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) | |
| manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) | |
| manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) | |
| manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) | |
| manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) | |
| files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file }) | |
| manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) | |
| manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) | |
| manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) | |
| manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) | |
| files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file }) | |
| domain_use_interactive_fds(icinga2_t) | |
| files_read_etc_files(icinga2_t) | |
| auth_use_nsswitch(icinga2_t) | |
| miscfiles_read_localization(icinga2_t) | |
| corecmd_exec_shell(icinga2_t) | |
| corecmd_exec_bin(icinga2_t) | |
| kernel_read_system_state(icinga2_t) | |
| kernel_read_network_state(icinga2_t) | |
| kernel_dgram_send(icinga2_t) | |
| # should be moved to nagios_plugin_template in nagios.if | |
| icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) | |
| icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) | |
| icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) | |
| icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) | |
| icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) | |
| icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) | |
| icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) | |
| icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) | |
| # should be moved nagios.te | |
| nagios_plugin_template(notification) | |
| icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) | |
| allow nagios_notification_plugin_t icinga2_etc_t:dir search; | |
| allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search; | |
| #permissive nagios_notification_plugin_t; | |
| corecmd_exec_bin(nagios_notification_plugin_t) | |
| hostname_exec(nagios_notification_plugin_t) | |
| type nagios_notification_plugin_tmp_t; | |
| files_tmp_file(nagios_notification_plugin_tmp_t) | |
| manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) | |
| manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) | |
| files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file }) | |
| fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t) | |
| optional_policy(` | |
| mta_send_mail(nagios_notification_plugin_t) | |
| ') | |
| icinga2_dontaudit_leaks_fifo(system_mail_t) | |
| # direct smtp notification | |
| corenet_tcp_connect_smtp_port(nagios_notification_plugin_t) | |
| # hipsaint notification | |
| auth_read_passwd(nagios_notification_plugin_t) | |
| sysnet_read_config(nagios_notification_plugin_t) | |
| allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms; | |
| allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms; | |
| allow nagios_notification_plugin_t self:netlink_route_socket create_netlink_socket_perms; | |
| corenet_tcp_connect_http_port(nagios_notification_plugin_t) | |
| miscfiles_read_generic_certs(nagios_notification_plugin_t) | |
| allow icinga2_t icinga2_port_t:tcp_socket name_bind; | |
| allow icinga2_t self:tcp_socket create_stream_socket_perms; | |
| corenet_tcp_connect_icinga2_port(icinga2_t) | |
| mysql_stream_connect(icinga2_t) | |
| mysql_tcp_connect(icinga2_t) | |
| postgresql_stream_connect(icinga2_t) | |
| postgresql_tcp_connect(icinga2_t) | |
| # graphite is using port 2003 which is lmtp_port_t | |
| corenet_tcp_connect_lmtp_port(icinga2_t) | |
| # This is for other feature that do not use a confined port | |
| # or if you run one one with a non standard port. | |
| tunable_policy(`icinga2_can_connect_all',` | |
| corenet_tcp_connect_all_ports(icinga2_t) | |
| ') | |
| # This is for plugins requiring to be executed via sudo | |
| tunable_policy(`icinga2_run_sudo',` | |
| allow icinga2_t self:capability { audit_write net_admin }; | |
| allow icinga2_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; | |
| allow icinga2_t devlog_t:sock_file write; | |
| init_read_utmp(icinga2_t) | |
| auth_domtrans_chkpwd(icinga2_t) | |
| allow icinga2_t chkpwd_t:process { noatsecure rlimitinh siginh }; | |
| selinux_compute_access_vector(icinga2_t) | |
| dbus_send_system_bus(icinga2_t) | |
| dbus_stream_connect_system_dbusd(icinga2_t) | |
| systemd_dbus_chat_logind(icinga2_t) | |
| # Without this it works but is very slow | |
| systemd_write_inherited_logind_sessions_pipes(icinga2_t) | |
| ') | |
| optional_policy(` | |
| tunable_policy(`icinga2_run_sudo',` | |
| sudo_exec(icinga2_t) | |
| ') | |
| ') | |
| ######################################## | |
| # | |
| # Icinga Webinterfaces | |
| # | |
| optional_policy(` | |
| # should be a boolean in apache-policy | |
| tunable_policy(`httpd_can_write_icinga2_command',` | |
| icinga2_send_commands(httpd_t) | |
| ') | |
| ') | |
| optional_policy(` | |
| # should be a boolean in apache-policy | |
| tunable_policy(`httpd_can_connect_icinga2_api',` | |
| corenet_tcp_connect_icinga2_port(httpd_t) | |
| ') | |
| ') | |
| ######################################## | |
| # | |
| # Icinga2 Admin Role | |
| # | |
| userdom_unpriv_user_template(icinga2adm) | |
| icinga2_admin(icinga2adm_t, icinga2adm_r) | |
| allow icinga2adm_t self:capability { dac_read_search dac_override }; | |
| # should be moved to staff.te | |
| icinga2adm_role_change(staff_r) | |
| # should be moved to nagios_plugin_template in nagios.if | |
| icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) | |
| icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) | |
| icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) | |
| icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) | |
| icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) | |
| icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) | |
| icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) | |
| icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) | |
| icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) |