granicus.if.org Git - icinga2/blob - tools/selinux/icinga2.te

   1 policy_module(icinga2, 0.1.2)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 require {
   9         type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
  10         type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
  11         type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t;
  12         type nagios_services_plugin_t; type nagios_services_plugin_exec_t;
  13         type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
  14         type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
  15         type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
  16         type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
  17         type httpd_t; type system_mail_t;
  18         role staff_r;
  19 }
  20
  21 type icinga2_t;
  22 type icinga2_exec_t;
  23 init_daemon_domain(icinga2_t, icinga2_exec_t)
  24
  25 permissive icinga2_t;
  26
  27 type icinga2_initrc_exec_t;
  28 init_script_file(icinga2_initrc_exec_t)
  29
  30 type icinga2_unit_file_t;
  31 systemd_unit_file(icinga2_unit_file_t)
  32
  33 type icinga2_etc_t;
  34 files_config_file(icinga2_etc_t)
  35
  36 type icinga2_log_t;
  37 logging_log_file(icinga2_log_t)
  38
  39 type icinga2_var_lib_t;
  40 files_type(icinga2_var_lib_t)
  41
  42 type icinga2_var_run_t;
  43 files_pid_file(icinga2_var_run_t)
  44
  45 type icinga2_command_t;
  46 files_type(icinga2_command_t)
  47
  48 type icinga2_spool_t;
  49 files_type(icinga2_spool_t)
  50
  51 type icinga2_cache_t;
  52 files_type(icinga2_cache_t)
  53
  54 type icinga2_tmp_t;
  55 files_tmp_file(icinga2_tmp_t)
  56
  57 type icinga2_port_t;
  58 corenet_port(icinga2_port_t)
  59
  60 ########################################
  61 #
  62 # icinga2 local policy
  63 #
  64 allow icinga2_t self:capability { setgid setuid sys_resource };
  65 allow icinga2_t self:process { setsched signal setrlimit };
  66 allow icinga2_t self:fifo_file rw_fifo_file_perms;
  67 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
  68
  69 list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  70 read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  71 read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  72
  73 manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  74 manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  75 manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  76 logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file })
  77
  78 manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  79 manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  80 manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  81 files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file })
  82
  83 manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  84 manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  85 files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file })
  86
  87 manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  88 manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  89 manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  90
  91 manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
  92 manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
  93 files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file })
  94
  95 manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
  96 manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
  97
  98 manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
  99 manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
 100 files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file })
 101
 102 domain_use_interactive_fds(icinga2_t)
 103
 104 files_read_etc_files(icinga2_t)
 105
 106 auth_use_nsswitch(icinga2_t)
 107
 108 miscfiles_read_localization(icinga2_t)
 109
 110 corecmd_check_exec_shell(icinga2_t)
 111
 112 # should be moved to nagios_plugin_template in nagios.if
 113 icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
 114 icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 115 icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
 116 icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
 117 icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
 118 icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
 119 icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
 120 icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
 121
 122 # should be moved nagios.te
 123 nagios_plugin_template(notification)
 124 icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
 125 allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
 126 #permissive nagios_notification_plugin_t;
 127 corecmd_exec_bin(nagios_notification_plugin_t)
 128 type nagios_notification_plugin_tmp_t;
 129 files_tmp_file(nagios_notification_plugin_tmp_t)
 130 manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 131 manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 132 files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file })
 133 auth_dontaudit_read_passwd(nagios_notification_plugin_t)
 134 fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t)
 135 optional_policy(`
 136         mta_send_mail(nagios_notification_plugin_t)
 137 ')
 138 icinga2_dontaudit_leaks_fifo(system_mail_t)
 139
 140 allow icinga2_t icinga2_port_t:tcp_socket name_bind;
 141 allow icinga2_t self:tcp_socket create_stream_socket_perms;
 142
 143 mysql_stream_connect(icinga2_t)
 144 mysql_tcp_connect(icinga2_t)
 145 postgresql_stream_connect(icinga2_t)
 146 postgresql_tcp_connect(icinga2_t)
 147
 148 # graphite is using port 2003 which is lmtp_port_t
 149 corenet_tcp_connect_lmtp_port(icinga2_t)
 150
 151 ########################################
 152 #
 153 # Icinga Webinterfaces
 154 #
 155
 156 optional_policy(`
 157         # should be a boolean in apache-policy
 158         icinga2_send_commands(httpd_t)
 159 ')
 160
 161 ########################################
 162 #
 163 # Icinga2 Admin Role
 164 #
 165
 166 userdom_unpriv_user_template(icinga2adm)
 167
 168 icinga2_admin(icinga2adm_t, icinga2adm_r)
 169
 170 allow icinga2adm_t self:capability { dac_read_search dac_override };
 171
 172 # should be moved to staff.te
 173 icinga2adm_role_change(staff_r)
 174