/etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
+/usr/lib/systemd/system/icinga2.* -- gen_context(system_u:object_r:icinga2_unit_file_t,s0)
+
/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
/etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
')
+########################################
+## <summary>
+## Execute icinga2 daemon in the icinga2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`icinga2_systemctl',`
+ gen_require(`
+ type icinga2_t;
+ type icinga2_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 icinga2_unit_file_t:file read_file_perms;
+ allow $1 icinga2_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, icinga2_t)
+ init_dbus_chat($1)
+')
+
########################################
## <summary>
## Allow the specified domain to read
role_transition $2 icinga2_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_etc($1)
+ admin_pattern($1, icinga2_etc_t)
+
logging_search_logs($1)
admin_pattern($1, icinga2_log_t)
files_search_var_lib($1)
admin_pattern($1, icinga2_var_lib_t)
+
+ admin_pattern($1, icinga2_var_run_t)
+ admin_pattern($1, icinga2_command_t)
+ admin_pattern($1, icinga2_spool_t)
+ admin_pattern($1, icinga2_cache_t)
+
+ icinga2_systemctl($1)
+ admin_pattern($1, icinga2_unit_file_t)
+ allow $1 icinga2_unit_file_t:service all_service_perms;
+
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
dontaudit $1 icinga2_t:fifo_file write;
')
+## <summary>Icinga2 administrator role.</summary>
+
+########################################
+## <summary>
+## Change to the Icinga2 administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icinga2adm_role_change',`
+ gen_require(`
+ role icinga2adm_r;
+ ')
+
+ allow $1 icinga2adm_r;
+')
/sbin/restorecon -F -R -v /usr/sbin/icinga2
# Fixing the file context on /etc/rc\.d/init\.d/icinga2
#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
+# Fixing the file context on /usr/lib/systemd/system/icinga2.*
+/sbin/restorecon -F -R -v /usr/lib/systemd/system/icinga2.*
# Fixing the file context on /etc/icinga2
/sbin/restorecon -F -R -v /etc/icinga2
# Fixing the file context on /var/log/icinga2
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
+ role staff_r;
}
type icinga2_t;
type icinga2_initrc_exec_t;
init_script_file(icinga2_initrc_exec_t)
+type icinga2_unit_file_t;
+systemd_unit_file(icinga2_unit_file_t)
+
type icinga2_etc_t;
files_config_file(icinga2_etc_t)
allow icinga2_t self:fifo_file rw_fifo_file_perms;
allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
+list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
# should be a boolean in apache-policy
icinga2_send_commands(httpd_t)
')
+
+########################################
+#
+# Icinga2 Admin Role
+#
+
+userdom_unpriv_user_template(icinga2adm)
+
+icinga2_admin(icinga2adm_t, icinga2adm_r)
+
+allow icinga2adm_t self:capability { dac_read_search dac_override };
+
+# should be moved to staff.te
+icinga2adm_role_change(staff_r)
+
projects / icinga2 / commitdiff