granicus.if.org Git - icinga2/blob - tools/selinux/icinga2.te

   1 policy_module(icinga2, 0.1.2)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 require {
   9         type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
  10         type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
  11         type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t;
  12         type nagios_services_plugin_t; type nagios_services_plugin_exec_t;
  13         type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
  14         type httpd_t; type system_mail_t;
  15 }
  16
  17 type icinga2_t;
  18 type icinga2_exec_t;
  19 init_daemon_domain(icinga2_t, icinga2_exec_t)
  20
  21 permissive icinga2_t;
  22
  23 type icinga2_initrc_exec_t;
  24 init_script_file(icinga2_initrc_exec_t)
  25
  26 type icinga2_log_t;
  27 logging_log_file(icinga2_log_t)
  28
  29 type icinga2_var_lib_t;
  30 files_type(icinga2_var_lib_t)
  31
  32 type icinga2_var_run_t;
  33 files_pid_file(icinga2_var_run_t)
  34
  35 type icinga2_command_t;
  36 files_type(icinga2_command_t)
  37
  38 type icinga2_spool_t;
  39 files_type(icinga2_spool_t)
  40
  41 type icinga2_cache_t;
  42 files_type(icinga2_cache_t)
  43
  44 type icinga2_tmp_t;
  45 files_tmp_file(icinga2_tmp_t)
  46
  47 type icinga2_port_t;
  48 corenet_port(icinga2_port_t)
  49
  50 ########################################
  51 #
  52 # icinga2 local policy
  53 #
  54 allow icinga2_t self:capability { setgid setuid sys_resource };
  55 allow icinga2_t self:process { setsched signal setrlimit };
  56 allow icinga2_t self:fifo_file rw_fifo_file_perms;
  57 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
  58
  59 manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  60 manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  61 manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  62 logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file })
  63
  64 manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  65 manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  66 manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  67 files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file })
  68
  69 manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  70 manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  71 files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file })
  72
  73 manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  74 manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  75 manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  76
  77 manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
  78 manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
  79 files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file })
  80
  81 manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
  82 manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
  83
  84 manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
  85 manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
  86 files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file })
  87
  88 domain_use_interactive_fds(icinga2_t)
  89
  90 files_read_etc_files(icinga2_t)
  91
  92 auth_use_nsswitch(icinga2_t)
  93
  94 miscfiles_read_localization(icinga2_t)
  95
  96 corecmd_check_exec_shell(icinga2_t)
  97
  98 # should be moved to nagios_plugin_template in nagios.if
  99 icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
 100 icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 101 icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
 102 icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
 103 icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
 104
 105 # should be moved nagios.te
 106 nagios_plugin_template(notification)
 107 icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
 108 allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
 109 #permissive nagios_notification_plugin_t;
 110 corecmd_exec_bin(nagios_notification_plugin_t)
 111 type nagios_notification_plugin_tmp_t;
 112 files_tmp_file(nagios_notification_plugin_tmp_t)
 113 manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 114 manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 115 files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file })
 116 auth_dontaudit_read_passwd(nagios_notification_plugin_t)
 117 fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t)
 118 optional_policy(`
 119         mta_send_mail(nagios_notification_plugin_t)
 120 ')
 121 icinga2_dontaudit_leaks_fifo(system_mail_t)
 122
 123 allow icinga2_t icinga2_port_t:tcp_socket name_bind;
 124 allow icinga2_t self:tcp_socket create_stream_socket_perms;
 125
 126 mysql_stream_connect(icinga2_t)
 127 mysql_tcp_connect(icinga2_t)
 128 postgresql_stream_connect(icinga2_t)
 129 postgresql_tcp_connect(icinga2_t)
 130
 131 # graphite is using port 2003 which is lmtp_port_t
 132 corenet_tcp_connect_lmtp_port(icinga2_t)
 133
 134 ########################################
 135 #
 136 # Icinga Webinterfaces
 137 #
 138
 139 optional_policy(`
 140         # should be a boolean in apache-policy
 141         icinga2_send_commands(httpd_t)
 142 ')