2 ## <summary>policy for icinga2</summary>
4 ########################################
6 ## Execute TEMPLATE in the icinga2 domin.
8 ## <param name="domain">
10 ## Domain allowed to transition.
14 interface(`icinga2_domtrans',`
16 type icinga2_t, icinga2_exec_t;
19 corecmd_search_bin($1)
20 domtrans_pattern($1, icinga2_exec_t, icinga2_t)
23 ########################################
25 ## Execute icinga2 server in the icinga2 domain.
27 ## <param name="domain">
29 ## Domain allowed access.
33 interface(`icinga2_initrc_domtrans',`
35 type icinga2_initrc_exec_t;
38 init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
40 ########################################
42 ## Read icinga2's log files.
44 ## <param name="domain">
46 ## Domain allowed access.
51 interface(`icinga2_read_log',`
56 logging_search_logs($1)
57 read_files_pattern($1, icinga2_log_t, icinga2_log_t)
60 ########################################
62 ## Append to icinga2 log files.
64 ## <param name="domain">
66 ## Domain allowed access.
70 interface(`icinga2_append_log',`
75 logging_search_logs($1)
76 append_files_pattern($1, icinga2_log_t, icinga2_log_t)
79 ########################################
81 ## Manage icinga2 log files
83 ## <param name="domain">
85 ## Domain allowed access.
89 interface(`icinga2_manage_log',`
94 logging_search_logs($1)
95 manage_dirs_pattern($1, icinga2_log_t, icinga2_log_t)
96 manage_files_pattern($1, icinga2_log_t, icinga2_log_t)
97 manage_lnk_files_pattern($1, icinga2_log_t, icinga2_log_t)
100 ########################################
102 ## Search icinga2 lib directories.
104 ## <param name="domain">
106 ## Domain allowed access.
110 interface(`icinga2_search_lib',`
112 type icinga2_var_lib_t;
115 allow $1 icinga2_var_lib_t:dir search_dir_perms;
116 files_search_var_lib($1)
119 ########################################
121 ## Read icinga2 lib files.
123 ## <param name="domain">
125 ## Domain allowed access.
129 interface(`icinga2_read_lib_files',`
131 type icinga2_var_lib_t;
134 files_search_var_lib($1)
135 read_files_pattern($1, icinga2_var_lib_t, icinga2_var_lib_t)
138 ########################################
140 ## Manage icinga2 lib files.
142 ## <param name="domain">
144 ## Domain allowed access.
148 interface(`icinga2_manage_lib_files',`
150 type icinga2_var_lib_t;
153 files_search_var_lib($1)
154 manage_files_pattern($1, icinga2_var_lib_t, icinga2_var_lib_t)
157 ########################################
159 ## Manage icinga2 lib directories.
161 ## <param name="domain">
163 ## Domain allowed access.
167 interface(`icinga2_manage_lib_dirs',`
169 type icinga2_var_lib_t;
172 files_search_var_lib($1)
173 manage_dirs_pattern($1, icinga2_var_lib_t, icinga2_var_lib_t)
177 ########################################
179 ## All of the rules required to administrate
180 ## an icinga2 environment
182 ## <param name="domain">
184 ## Domain allowed access.
187 ## <param name="role">
189 ## Role allowed access.
194 interface(`icinga2_admin',`
197 type icinga2_initrc_exec_t;
199 type icinga2_var_lib_t;
202 allow $1 icinga2_t:process { signal_perms };
203 ps_process_pattern($1, icinga2_t)
205 tunable_policy(`deny_ptrace',`',`
206 allow $1 icinga2_t:process ptrace;
209 icinga2_initrc_domtrans($1)
210 domain_system_change_exemption($1)
211 role_transition $2 icinga2_initrc_exec_t system_r;
214 logging_search_logs($1)
215 admin_pattern($1, icinga2_log_t)
217 files_search_var_lib($1)
218 admin_pattern($1, icinga2_var_lib_t)
220 systemd_passwd_agent_exec($1)
221 systemd_read_fifo_file_passwd_run($1)
225 ########################################
227 ### Send icinga2 commands through pipe
229 ### <param name="domain">
231 ### Domain allowed to send commands.
235 interface(`icinga2_send_commands',`
237 type icinga2_var_run_t;
240 files_search_pids($1)
241 read_files_pattern($1, icinga2_var_run_t, icinga2_var_run_t)
242 read_files_pattern($1, icina2_command_t, icinga2_command_t)
243 write_fifo_files_pattern($1, icinga2_command_t, icinga2_command_t)