From 8bd2b99c825de37c9e40bcbbf82e8dfce30b715f Mon Sep 17 00:00:00 2001 From: Dirk Goetz Date: Wed, 25 Mar 2015 18:52:42 +0000 Subject: [PATCH] Selinux: added context to config files to provide interfaces refs #8332 --- tools/selinux/icinga2.fc | 2 ++ tools/selinux/icinga2.if | 45 ++++++++++++++++++++++++++++++++++++++++ tools/selinux/icinga2.sh | 4 ++-- tools/selinux/icinga2.te | 6 ++++++ 4 files changed, 55 insertions(+), 2 deletions(-) diff --git a/tools/selinux/icinga2.fc b/tools/selinux/icinga2.fc index 33e4c7299..ef92f29b9 100644 --- a/tools/selinux/icinga2.fc +++ b/tools/selinux/icinga2.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0) +/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0) + /etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0) /usr/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0) diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if index 301464399..6c42e8af3 100644 --- a/tools/selinux/icinga2.if +++ b/tools/selinux/icinga2.if @@ -37,6 +37,51 @@ interface(`icinga2_initrc_domtrans',` init_labeled_script_domtrans($1, icinga2_initrc_exec_t) ') + +######################################## +## +## Allow the specified domain to read +## icinga2 configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`icinga2_read_config',` + gen_require(` + type icinga2_etc_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, icinga2_etc_t, icinga2_etc_t) + read_files_pattern($1, icinga2_etc_t, icinga2_etc_t) +') + +######################################## +## +## Allow the specified domain to read +## and write icinga2 configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`icinga2_manage_config',` + gen_require(` + type icinga2_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, icinga2_etc_t, icinga2_etc_t) + manage_files_pattern($1, icinga2_etc_t, icinga2_etc_t) +') + ######################################## ## ## Read icinga2's log files. diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh index 81ccc55cf..6defe85b0 100755 --- a/tools/selinux/icinga2.sh +++ b/tools/selinux/icinga2.sh @@ -48,8 +48,8 @@ sepolicy manpage -p . -d icinga2_t /sbin/restorecon -F -R -v /usr/sbin/icinga2 # Fixing the file context on /etc/rc\.d/init\.d/icinga2 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 -# Fixing the file context on /etc/icinga2/scripts -/sbin/restorecon -F -R -v /etc/icinga2/scripts +# Fixing the file context on /etc/icinga2 +/sbin/restorecon -F -R -v /etc/icinga2 # Fixing the file context on /var/log/icinga2 /sbin/restorecon -F -R -v /var/log/icinga2 # Fixing the file context on /var/lib/icinga2 diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te index 4bbcd6430..b20ff2201 100644 --- a/tools/selinux/icinga2.te +++ b/tools/selinux/icinga2.te @@ -26,6 +26,9 @@ permissive icinga2_t; type icinga2_initrc_exec_t; init_script_file(icinga2_initrc_exec_t) +type icinga2_etc_t; +files_config_file(icinga2_etc_t) + type icinga2_log_t; logging_log_file(icinga2_log_t) @@ -59,6 +62,9 @@ allow icinga2_t self:process { setsched signal setrlimit }; allow icinga2_t self:fifo_file rw_fifo_file_perms; allow icinga2_t self:unix_stream_socket create_stream_socket_perms; +read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) +read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) + manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) -- 2.40.0