Selinux: added context to config files to provide interfaces

refs #8332

diff --git a/tools/selinux/icinga2.fc b/tools/selinux/icinga2.fc
index 33e4c729934e0ae6738ba43dc2e355c53d8f0ee6..ef92f29b9178d8aa3f4810aa86fa66ecf169be9f 100644 (file)
--- a/tools/selinux/icinga2.fc
+++ b/tools/selinux/icinga2.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/icinga2     --      gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
 
+/etc/icinga2(/.*)?             gen_context(system_u:object_r:icinga2_etc_t,s0)
+
 /etc/icinga2/scripts(/.*)?     gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
 
 /usr/sbin/icinga2              --      gen_context(system_u:object_r:icinga2_exec_t,s0)

diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if
index 301464399d3542ec204ddbb733ca09eb37a62f43..6c42e8af394728b5249528ef2bd67aed7a0d9360 100644 (file)
--- a/tools/selinux/icinga2.if
+++ b/tools/selinux/icinga2.if
@@ -37,6 +37,51 @@ interface(`icinga2_initrc_domtrans',`
 
        init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
 ')
+
+########################################
+## <summary>
+##      Allow the specified domain to read
+##      icinga2 configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icinga2_read_config',`
+        gen_require(`
+                type icinga2_etc_t;
+        ')
+
+        files_search_etc($1)
+        list_dirs_pattern($1, icinga2_etc_t, icinga2_etc_t)
+        read_files_pattern($1, icinga2_etc_t, icinga2_etc_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to read
+##      and write icinga2 configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icinga2_manage_config',`
+        gen_require(`
+                type icinga2_etc_t;
+        ')
+
+        files_search_etc($1)
+        manage_dirs_pattern($1, icinga2_etc_t, icinga2_etc_t)
+        manage_files_pattern($1, icinga2_etc_t, icinga2_etc_t)
+')
+
 ########################################
 ## <summary>
 ##     Read icinga2's log files.

diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh
index 81ccc55cf78eb12a893e0db3b53fd3d99cf3534c..6defe85b044e8118e2f1c46ee75532befce2a8d7 100755 (executable)
--- a/tools/selinux/icinga2.sh
+++ b/tools/selinux/icinga2.sh
@@ -48,8 +48,8 @@ sepolicy manpage -p . -d icinga2_t
 /sbin/restorecon -F -R -v /usr/sbin/icinga2
 # Fixing the file context on /etc/rc\.d/init\.d/icinga2
 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
-# Fixing the file context on /etc/icinga2/scripts
-/sbin/restorecon -F -R -v /etc/icinga2/scripts
+# Fixing the file context on /etc/icinga2
+/sbin/restorecon -F -R -v /etc/icinga2
 # Fixing the file context on /var/log/icinga2
 /sbin/restorecon -F -R -v /var/log/icinga2
 # Fixing the file context on /var/lib/icinga2

diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te
index 4bbcd64302afcf3f7bf0bf4fe69be9ef992b1fd4..b20ff2201a95372dc4c329ecb3f86c8c26305472 100644 (file)
--- a/tools/selinux/icinga2.te
+++ b/tools/selinux/icinga2.te
@@ -26,6 +26,9 @@ permissive icinga2_t;
 type icinga2_initrc_exec_t;
 init_script_file(icinga2_initrc_exec_t)
 
+type icinga2_etc_t;
+files_config_file(icinga2_etc_t)
+
 type icinga2_log_t;
 logging_log_file(icinga2_log_t)
 
@@ -59,6 +62,9 @@ allow icinga2_t self:process { setsched signal setrlimit };
 allow icinga2_t self:fifo_file rw_fifo_file_perms;
 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
 
+read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
+read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
+
 manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
 manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
 manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)