From 1911209a4553727cb5875767cd827cc4612e35fb Mon Sep 17 00:00:00 2001 From: Dirk Goetz Date: Wed, 11 Feb 2015 22:56:12 +0100 Subject: [PATCH] Selinux: Added file contexts and port refs #8332 Signed-off-by: Michael Friedrich --- tools/selinux/icinga2.fc | 4 ++++ tools/selinux/icinga2.if | 24 ++++++++++++++++++- tools/selinux/icinga2.sh | 14 +++++++++-- tools/selinux/icinga2.te | 50 +++++++++++++++++++++++++++++++++++++--- 4 files changed, 86 insertions(+), 6 deletions(-) diff --git a/tools/selinux/icinga2.fc b/tools/selinux/icinga2.fc index b958ab9a2..b107d57a4 100644 --- a/tools/selinux/icinga2.fc +++ b/tools/selinux/icinga2.fc @@ -9,3 +9,7 @@ /var/run/icinga2(/.*)? gen_context(system_u:object_r:icinga2_var_run_t,s0) /var/run/icinga2/cmd(/.*)? gen_context(system_u:object_r:icinga2_command_t,s0) + +/var/spool/icinga2(/.*)? gen_context(system_u:object_r:icinga2_spool_t,s0) + +/var/cache/icinga2(/.*)? gen_context(system_u:object_r:icinga2_cache_t,s0) diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if index 6885f6e11..774e56227 100644 --- a/tools/selinux/icinga2.if +++ b/tools/selinux/icinga2.if @@ -239,7 +239,29 @@ interface(`icinga2_send_commands',` files_search_pids($1) read_files_pattern($1, icinga2_var_run_t, icinga2_var_run_t) - read_files_pattern($1, icina2_command_t, icinga2_command_t) + read_files_pattern($1, icinga2_command_t, icinga2_command_t) write_fifo_files_pattern($1, icinga2_command_t, icinga2_command_t) ') +######################################## +## +## For domains icinga should transition to (e.g. Plugins). +## +## +## +## Context of the executable. +## +## +## +## +## Domain icinga should transition to. +## +## +# +interface(`icinga2_execstrans',` + gen_require(` + type icinga2_t; + ') + + domtrans_pattern(icinga2_t, $1, $2) +') diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh index d9a8aa7a6..48cd49b90 100755 --- a/tools/selinux/icinga2.sh +++ b/tools/selinux/icinga2.sh @@ -47,12 +47,22 @@ sepolicy manpage -p . -d icinga2_t # Fixing the file context on /usr/sbin/icinga2 /sbin/restorecon -F -R -v /usr/sbin/icinga2 # Fixing the file context on /etc/rc\.d/init\.d/icinga2 -/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 +#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 # Fixing the file context on /var/log/icinga2 /sbin/restorecon -F -R -v /var/log/icinga2 # Fixing the file context on /var/lib/icinga2 /sbin/restorecon -F -R -v /var/lib/icinga2 +# Fixing the file context on /var/run/icinga2 +/sbin/restorecon -F -R -v /var/run/icinga2 +# Fixing the file context on /var/cache/icinga2 +/sbin/restorecon -F -R -v /var/cache/icinga2 +# Fixing the file context on /var/spool/icinga2 +/sbin/restorecon -F -R -v /var/spool/icinga2 + +# Label the port 5665 +/sbin/semanage port -a -t icinga2_port_t -p tcp 5665 + # Generate a rpm package for the newly generated policy pwd=$(pwd) -rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba icinga2_selinux.spec +#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba icinga2_selinux.spec diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te index 531212f88..1e36dc9a9 100644 --- a/tools/selinux/icinga2.te +++ b/tools/selinux/icinga2.te @@ -1,10 +1,19 @@ -policy_module(icinga2, 0.1.0) +policy_module(icinga2, 0.1.1) ######################################## # # Declarations # +require { + type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t; + type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t; + type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t; + type nagios_services_plugin_t; type nagios_services_plugin_exec_t; + type nagios_system_plugin_t; type nagios_system_plugin_exec_t; + type httpd_t; +} + type icinga2_t; type icinga2_exec_t; init_daemon_domain(icinga2_t, icinga2_exec_t) @@ -20,11 +29,20 @@ logging_log_file(icinga2_log_t) type icinga2_var_lib_t; files_type(icinga2_var_lib_t) +type icinga2_var_run_t; +files_pid_file(icinga2_var_run_t) + type icinga2_command_t; files_type(icinga2_command_t) -type icinga2_var_run_t; -files_pid_file(icinga2_var_run_t) +type icinga2_spool_t; +files_type(icinga2_spool_t) + +type icinga2_cache_t; +files_type(icinga2_cache_t) + +type icinga2_port_t; +corenet_port(icinga2_port_t) ######################################## # @@ -52,6 +70,12 @@ manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) +manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) +manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) +files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file }) + +manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) +manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) domain_use_interactive_fds(icinga2_t) @@ -60,3 +84,23 @@ files_read_etc_files(icinga2_t) auth_use_nsswitch(icinga2_t) miscfiles_read_localization(icinga2_t) + +# should be moved to nagios_plugin_template in nagios.if +icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) +icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) +icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) +icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) +icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) + +allow icinga2_t icinga2_port_t:tcp_socket name_bind; +allow icinga2_t self:tcp_socket create_stream_socket_perms; + +######################################## +# +# Icinga Webinterfaces +# + +optional_policy(` + # should be a boolean in apache-policy + icinga2_send_commands(httpd_t) +') -- 2.40.0