From 7d29a26d99b9546045b591fb4cb81ea2ba9f3092 Mon Sep 17 00:00:00 2001
From: Dirk Goetz <dirk.goetz@netways.de>
Date: Wed, 25 Mar 2015 21:00:53 +0000
Subject: [PATCH] Selinux: added role and some required changes

refs #8332
---
 tools/selinux/icinga2.fc |  2 ++
 tools/selinux/icinga2.if | 57 ++++++++++++++++++++++++++++++++++++++++
 tools/selinux/icinga2.sh |  2 ++
 tools/selinux/icinga2.te | 20 ++++++++++++++
 4 files changed, 81 insertions(+)

diff --git a/tools/selinux/icinga2.fc b/tools/selinux/icinga2.fc
index ef92f29b9..761e38b08 100644
--- a/tools/selinux/icinga2.fc
+++ b/tools/selinux/icinga2.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/icinga2	--	gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
 
+/usr/lib/systemd/system/icinga2.*  --     gen_context(system_u:object_r:icinga2_unit_file_t,s0)
+
 /etc/icinga2(/.*)?		gen_context(system_u:object_r:icinga2_etc_t,s0)
 
 /etc/icinga2/scripts(/.*)?	gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if
index 6c42e8af3..ef1df784f 100644
--- a/tools/selinux/icinga2.if
+++ b/tools/selinux/icinga2.if
@@ -38,6 +38,30 @@ interface(`icinga2_initrc_domtrans',`
 	init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##      Execute icinga2 daemon in the icinga2 domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`icinga2_systemctl',`
+        gen_require(`
+                type icinga2_t;
+                type icinga2_unit_file_t;
+        ')
+
+        systemd_exec_systemctl($1)
+        allow $1 icinga2_unit_file_t:file read_file_perms;
+        allow $1 icinga2_unit_file_t:service manage_service_perms;
+
+        ps_process_pattern($1, icinga2_t)
+	init_dbus_chat($1)
+')
+
 ########################################
 ## <summary>
 ##      Allow the specified domain to read
@@ -256,11 +280,24 @@ interface(`icinga2_admin',`
 	role_transition $2 icinga2_initrc_exec_t system_r;
 	allow $2 system_r;
 
+        files_list_etc($1)
+        admin_pattern($1, icinga2_etc_t)
+
 	logging_search_logs($1)
 	admin_pattern($1, icinga2_log_t)
 
 	files_search_var_lib($1)
 	admin_pattern($1, icinga2_var_lib_t)
+
+	admin_pattern($1, icinga2_var_run_t)
+	admin_pattern($1, icinga2_command_t)
+	admin_pattern($1, icinga2_spool_t)
+	admin_pattern($1, icinga2_cache_t)
+
+	icinga2_systemctl($1)
+	admin_pattern($1, icinga2_unit_file_t)
+        allow $1 icinga2_unit_file_t:service all_service_perms;
+
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
@@ -329,3 +366,23 @@ interface(`icinga2_dontaudit_leaks_fifo',`
         dontaudit $1 icinga2_t:fifo_file write;
 ')
 
+## <summary>Icinga2 administrator role.</summary>
+
+########################################
+## <summary>
+##      Change to the Icinga2 administrator role.
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icinga2adm_role_change',`
+        gen_require(`
+                role icinga2adm_r;
+        ')
+
+        allow $1 icinga2adm_r;
+')
diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh
index 6defe85b0..3745e4505 100755
--- a/tools/selinux/icinga2.sh
+++ b/tools/selinux/icinga2.sh
@@ -48,6 +48,8 @@ sepolicy manpage -p . -d icinga2_t
 /sbin/restorecon -F -R -v /usr/sbin/icinga2
 # Fixing the file context on /etc/rc\.d/init\.d/icinga2
 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
+# Fixing the file context on /usr/lib/systemd/system/icinga2.*
+/sbin/restorecon -F -R -v /usr/lib/systemd/system/icinga2.*
 # Fixing the file context on /etc/icinga2
 /sbin/restorecon -F -R -v /etc/icinga2
 # Fixing the file context on /var/log/icinga2
diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te
index b20ff2201..7e5a4eb25 100644
--- a/tools/selinux/icinga2.te
+++ b/tools/selinux/icinga2.te
@@ -15,6 +15,7 @@ require {
 	type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
 	type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
 	type httpd_t; type system_mail_t;
+	role staff_r;
 }
 
 type icinga2_t;
@@ -26,6 +27,9 @@ permissive icinga2_t;
 type icinga2_initrc_exec_t;
 init_script_file(icinga2_initrc_exec_t)
 
+type icinga2_unit_file_t;
+systemd_unit_file(icinga2_unit_file_t)
+
 type icinga2_etc_t;
 files_config_file(icinga2_etc_t)
 
@@ -62,6 +66,7 @@ allow icinga2_t self:process { setsched signal setrlimit };
 allow icinga2_t self:fifo_file rw_fifo_file_perms;
 allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
 
+list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
 read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
 read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
 
@@ -152,3 +157,18 @@ optional_policy(`
 	# should be a boolean in apache-policy
 	icinga2_send_commands(httpd_t)
 ')
+
+########################################
+#
+# Icinga2 Admin Role
+#
+
+userdom_unpriv_user_template(icinga2adm)
+
+icinga2_admin(icinga2adm_t, icinga2adm_r)
+
+allow icinga2adm_t self:capability { dac_read_search dac_override };
+
+# should be moved to staff.te
+icinga2adm_role_change(staff_r)
+
-- 
2.40.0