granicus.if.org Git - icinga2/blob - tools/selinux/icinga2.te

   1 policy_module(icinga2, 0.1.5)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow Icinga 2 to connect to all ports
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(icinga2_can_connect_all, false)
  14 gen_tunable(httpd_can_connect_icinga2_api, true)
  15 gen_tunable(httpd_can_write_icinga2_command, true)
  16
  17 require {
  18         type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
  19         type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
  20         type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t;
  21         type nagios_services_plugin_t; type nagios_services_plugin_exec_t;
  22         type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
  23         type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
  24         type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
  25         type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
  26         type httpd_t; type system_mail_t;
  27         role staff_r;
  28 }
  29
  30 type icinga2_t;
  31 type icinga2_exec_t;
  32 init_daemon_domain(icinga2_t, icinga2_exec_t)
  33
  34 #permissive icinga2_t;
  35
  36 type icinga2_initrc_exec_t;
  37 init_script_file(icinga2_initrc_exec_t)
  38
  39 type icinga2_unit_file_t;
  40 systemd_unit_file(icinga2_unit_file_t)
  41
  42 type icinga2_etc_t;
  43 files_config_file(icinga2_etc_t)
  44
  45 type icinga2_log_t;
  46 logging_log_file(icinga2_log_t)
  47
  48 type icinga2_var_lib_t;
  49 files_type(icinga2_var_lib_t)
  50
  51 type icinga2_var_run_t;
  52 files_pid_file(icinga2_var_run_t)
  53
  54 type icinga2_command_t;
  55 files_type(icinga2_command_t)
  56
  57 type icinga2_spool_t;
  58 files_type(icinga2_spool_t)
  59
  60 type icinga2_cache_t;
  61 files_type(icinga2_cache_t)
  62
  63 type icinga2_tmp_t;
  64 files_tmp_file(icinga2_tmp_t)
  65
  66 type icinga2_port_t;
  67 corenet_port(icinga2_port_t)
  68
  69 ########################################
  70 #
  71 # icinga2 local policy
  72 #
  73 allow icinga2_t self:capability { setgid setuid sys_resource };
  74 allow icinga2_t self:process { setsched signal setrlimit };
  75 allow icinga2_t self:fifo_file rw_fifo_file_perms;
  76 allow icinga2_t self:unix_dgram_socket create_socket_perms;
  77 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
  78
  79 list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  80 read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  81 read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
  82
  83 manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  84 manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  85 manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
  86 logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file })
  87
  88 manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  89 manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  90 manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
  91 files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file })
  92
  93 manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  94 manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
  95 files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file })
  96
  97 manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  98 manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
  99 manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
 100
 101 manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
 102 manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
 103 files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file })
 104
 105 manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
 106 manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
 107
 108 manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
 109 manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
 110 files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file })
 111
 112 domain_use_interactive_fds(icinga2_t)
 113
 114 files_read_etc_files(icinga2_t)
 115
 116 auth_use_nsswitch(icinga2_t)
 117
 118 miscfiles_read_localization(icinga2_t)
 119
 120 corecmd_exec_shell(icinga2_t)
 121 corecmd_exec_bin(icinga2_t)
 122
 123 kernel_read_system_state(icinga2_t)
 124 kernel_read_network_state(icinga2_t)
 125
 126 # should be moved to nagios_plugin_template in nagios.if
 127 icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
 128 icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 129 icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
 130 icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
 131 icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
 132 icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
 133 icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
 134 icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
 135
 136 # should be moved nagios.te
 137 nagios_plugin_template(notification)
 138 icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
 139 allow nagios_notification_plugin_t icinga2_etc_t:dir search;
 140 allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
 141 #permissive nagios_notification_plugin_t;
 142 corecmd_exec_bin(nagios_notification_plugin_t)
 143 hostname_exec(nagios_notification_plugin_t)
 144 type nagios_notification_plugin_tmp_t;
 145 files_tmp_file(nagios_notification_plugin_tmp_t)
 146 manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 147 manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
 148 files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file })
 149 auth_dontaudit_read_passwd(nagios_notification_plugin_t)
 150 fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t)
 151 optional_policy(`
 152         mta_send_mail(nagios_notification_plugin_t)
 153 ')
 154 icinga2_dontaudit_leaks_fifo(system_mail_t)
 155
 156 allow icinga2_t icinga2_port_t:tcp_socket name_bind;
 157 allow icinga2_t self:tcp_socket create_stream_socket_perms;
 158 corenet_tcp_connect_icinga2_port(icinga2_t)
 159
 160 mysql_stream_connect(icinga2_t)
 161 mysql_tcp_connect(icinga2_t)
 162 postgresql_stream_connect(icinga2_t)
 163 postgresql_tcp_connect(icinga2_t)
 164
 165 # graphite is using port 2003 which is lmtp_port_t
 166 corenet_tcp_connect_lmtp_port(icinga2_t)
 167
 168 # This is for other feature that do not use a confined port
 169 # or if you run one one with a non standard port.
 170 tunable_policy(`icinga2_can_connect_all',`
 171         corenet_tcp_connect_all_ports(icinga2_t)
 172 ')
 173
 174 ########################################
 175 #
 176 # Icinga Webinterfaces
 177 #
 178
 179 optional_policy(`
 180         # should be a boolean in apache-policy
 181         tunable_policy(`httpd_can_write_icinga2_command',`
 182                 icinga2_send_commands(httpd_t)
 183         ')
 184 ')
 185
 186 optional_policy(`
 187         # should be a boolean in apache-policy
 188         tunable_policy(`httpd_can_connect_icinga2_api',`
 189                 corenet_tcp_connect_icinga2_port(httpd_t)
 190         ')
 191 ')
 192
 193 ########################################
 194 #
 195 # Icinga2 Admin Role
 196 #
 197
 198 userdom_unpriv_user_template(icinga2adm)
 199
 200 icinga2_admin(icinga2adm_t, icinga2adm_r)
 201
 202 allow icinga2adm_t self:capability { dac_read_search dac_override };
 203
 204 # should be moved to staff.te
 205 icinga2adm_role_change(staff_r)
 206
 207 # should be moved to nagios_plugin_template in nagios.if
 208 icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
 209 icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
 210 icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
 211 icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
 212 icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
 213 icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
 214 icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
 215 icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
 216 icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)