[people/stevee/selinux-policy.git] / policy / modules / services / nagios.te

policy_module(nagios, 1.10.0)

########################################
#
# Declarations
#

type nagios_t;
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)

type nagios_etc_t;
files_config_file(nagios_etc_t)

type nagios_initrc_exec_t;
init_script_file(nagios_initrc_exec_t)

type nagios_log_t;
logging_log_file(nagios_log_t)

type nagios_tmp_t;
files_tmp_file(nagios_tmp_t)

type nagios_var_run_t;
files_pid_file(nagios_var_run_t)

type nagios_spool_t;
files_spool_file(nagios_spool_t)

type nagios_var_lib_t;
files_type(nagios_var_lib_t)

nagios_plugin_template(admin)
nagios_plugin_template(checkdisk)
nagios_plugin_template(mail)
nagios_plugin_template(services)
nagios_plugin_template(system)
nagios_plugin_template(unconfined)

type nagios_system_plugin_tmp_t;
files_tmp_file(nagios_system_plugin_tmp_t)

type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)

type nrpe_etc_t;
files_config_file(nrpe_etc_t)

type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)

########################################
#
# Nagios local policy
#

allow nagios_t self:capability { dac_override setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;

read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;

manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
logging_log_filetrans(nagios_t, nagios_log_t, { file dir })

manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })

manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)

manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)

manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })

kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
kernel_read_software_raid_state(nagios_t)

corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)

corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
corenet_udp_sendrecv_generic_node(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)

corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)

dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)

domain_use_interactive_fds(nagios_t)
# for ps
domain_read_all_domains_state(nagios_t)

files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t)
files_read_usr_files(nagios_t)

fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)

auth_use_nsswitch(nagios_t)

logging_send_syslog_msg(nagios_t)

miscfiles_read_localization(nagios_t)

userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)

mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)

optional_policy(`
	netutils_kill_ping(nagios_t)
')

optional_policy(`
	seutil_sigchld_newrole(nagios_t)
')

optional_policy(`
	udev_read_db(nagios_t)
')

########################################
#
# Nagios CGI local policy
#

optional_policy(`
	apache_content_template(nagios)
	typealias httpd_nagios_script_t alias nagios_cgi_t;
	typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;

	allow httpd_nagios_script_t self:process signal_perms;

	read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
	read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)

	files_search_spool(httpd_nagios_script_t)
	rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)

	allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)

	allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)

	kernel_read_system_state(httpd_nagios_script_t)

	domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)

	files_read_etc_runtime_files(httpd_nagios_script_t)
	files_read_kernel_symbol_table(httpd_nagios_script_t)

	logging_send_syslog_msg(httpd_nagios_script_t)
')

########################################
#
# Nagios remote plugin executor local policy
#

allow nrpe_t self:capability { setuid setgid };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket create_stream_socket_perms;

read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)

domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)

read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
files_search_etc(nrpe_t)

manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)

kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)

corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)

corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
corenet_all_recvfrom_unlabeled(nrpe_t)
corenet_all_recvfrom_netlabel(nrpe_t)

dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)

domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)

files_read_etc_runtime_files(nrpe_t)
files_read_etc_files(nrpe_t)
files_read_usr_files(nrpe_t)

fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)

auth_use_nsswitch(nrpe_t)

logging_send_syslog_msg(nrpe_t)

miscfiles_read_localization(nrpe_t)

userdom_dontaudit_use_unpriv_user_fds(nrpe_t)

optional_policy(`
	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')

optional_policy(`
	mta_send_mail(nrpe_t)
')

optional_policy(`
	seutil_sigchld_newrole(nrpe_t)
')

optional_policy(`
	tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
')

optional_policy(`
	udev_read_db(nrpe_t)
')

#####################################
#
# local policy for admin check plugins
#

corecmd_read_bin_files(nagios_admin_plugin_t)
corecmd_read_bin_symlinks(nagios_admin_plugin_t)

dev_read_urand(nagios_admin_plugin_t)
dev_getattr_all_chr_files(nagios_admin_plugin_t)
dev_getattr_all_blk_files(nagios_admin_plugin_t)

files_read_etc_files(nagios_admin_plugin_t)
# for check_file_age plugin
files_getattr_all_dirs(nagios_admin_plugin_t)
files_getattr_all_files(nagios_admin_plugin_t)
files_getattr_all_symlinks(nagios_admin_plugin_t)
files_getattr_all_pipes(nagios_admin_plugin_t)
files_getattr_all_sockets(nagios_admin_plugin_t)
files_getattr_all_file_type_fs(nagios_admin_plugin_t)

######################################
#
# local policy for mail check plugins
#

allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;

kernel_read_kernel_sysctls(nagios_mail_plugin_t)

corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)

dev_read_urand(nagios_mail_plugin_t)

files_read_etc_files(nagios_mail_plugin_t)

logging_send_syslog_msg(nagios_mail_plugin_t)

sysnet_read_config(nagios_mail_plugin_t)

optional_policy(`
	mta_send_mail(nagios_mail_plugin_t)
')

optional_policy(`
	nscd_dontaudit_search_pid(nagios_mail_plugin_t)
')

optional_policy(`
	postfix_stream_connect_master(nagios_mail_plugin_t)
	postfix_exec_postqueue(nagios_mail_plugin_t)
')

######################################
#
# local policy for disk check plugins
#

# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };

kernel_read_software_raid_state(nagios_checkdisk_plugin_t)

files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)

fs_getattr_all_fs(nagios_checkdisk_plugin_t)

storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)

#######################################
#
# local policy for service check plugins
#

allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;

corecmd_exec_bin(nagios_services_plugin_t)

corenet_tcp_connect_all_ports(nagios_services_plugin_t)
corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)

auth_use_nsswitch(nagios_services_plugin_t)

domain_read_all_domains_state(nagios_services_plugin_t)

files_read_usr_files(nagios_services_plugin_t)

optional_policy(`
	netutils_domtrans_ping(nagios_services_plugin_t)
	netutils_signal_ping(nagios_services_plugin_t)
	netutils_kill_ping(nagios_services_plugin_t)
')

optional_policy(`
	mysql_stream_connect(nagios_services_plugin_t)
')

optional_policy(`
	snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
')

######################################
#
# local policy for system check plugins
#

allow nagios_system_plugin_t self:capability dac_override;
dontaudit nagios_system_plugin_t self:capability { setuid setgid };

# check_log
manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })

kernel_read_kernel_sysctls(nagios_system_plugin_t)

corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)

dev_read_sysfs(nagios_system_plugin_t)
dev_read_urand(nagios_system_plugin_t)

domain_read_all_domains_state(nagios_system_plugin_t)

files_read_etc_files(nagios_system_plugin_t)

# needed by check_users plugin
optional_policy(`
	init_read_utmp(nagios_system_plugin_t)
')

########################################
#
# Unconfined plugin policy
#

optional_policy(`
	unconfined_domain(nagios_unconfined_plugin_t)
')
Commit	Line	Data
826d0142	1	policy_module(nagios, 1.10.0)
f1e604bb CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type nagios_t;
	9	type nagios_exec_t;
8242f5a6	10	init_daemon_domain(nagios_t, nagios_exec_t)
f1e604bb	11
f1e604bb CP	12	type nagios_etc_t;
	13	files_config_file(nagios_etc_t)
	14
99bbe348 JS	15	type nagios_initrc_exec_t;
	16	init_script_file(nagios_initrc_exec_t)
	17
f1e604bb CP	18	type nagios_log_t;
	19	logging_log_file(nagios_log_t)
	20
	21	type nagios_tmp_t;
	22	files_tmp_file(nagios_tmp_t)
	23
	24	type nagios_var_run_t;
	25	files_pid_file(nagios_var_run_t)
	26
99bbe348	27	type nagios_spool_t;
0059652b	28	files_spool_file(nagios_spool_t)
99bbe348	29
7087b7c0 DW	30	type nagios_var_lib_t;
	31	files_type(nagios_var_lib_t)
	32
99bbe348 JS	33	nagios_plugin_template(admin)
	34	nagios_plugin_template(checkdisk)
	35	nagios_plugin_template(mail)
	36	nagios_plugin_template(services)
	37	nagios_plugin_template(system)
7934ac10	38	nagios_plugin_template(unconfined)
99bbe348 JS	39
	40	type nagios_system_plugin_tmp_t;
	41	files_tmp_file(nagios_system_plugin_tmp_t)
	42
06e27756 CP	43	type nrpe_t;
06e27756 CP	44	type nrpe_exec_t;
8242f5a6	45	init_daemon_domain(nrpe_t, nrpe_exec_t)
06e27756 CP	46
	47	type nrpe_etc_t;
	48	files_config_file(nrpe_etc_t)
	49
99bbe348 JS	50	type nrpe_var_run_t;
	51	files_pid_file(nrpe_var_run_t)
	52
f1e604bb CP	53	########################################
	54	#
	55	# Nagios local policy
	56	#
	57
	58	allow nagios_t self:capability { dac_override setgid setuid };
	59	dontaudit nagios_t self:capability sys_tty_config;
	60	allow nagios_t self:process { setpgid signal_perms };
	61	allow nagios_t self:fifo_file rw_file_perms;
	62	allow nagios_t self:tcp_socket create_stream_socket_perms;
	63	allow nagios_t self:udp_socket create_socket_perms;
	64
8242f5a6 CP	65	read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
8242f5a6 CP	66	read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
c0868a7a	67	allow nagios_t nagios_etc_t:dir list_dir_perms;
f1e604bb	68
8242f5a6 CP	69	manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
	70	manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
	71	logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
f1e604bb	72
8242f5a6 CP	73	manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
8242f5a6 CP	74	manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
f1e604bb CP	75	files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
f1e604bb CP	76
8242f5a6 CP	77	manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
8242f5a6 CP	78	files_pid_filetrans(nagios_t, nagios_var_run_t, file)
f1e604bb	79
99bbe348 JS	80	manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
	81	files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
	82
7087b7c0 DW	83	manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
	84	manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
	85	files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir })
	86
f1e604bb CP	87	kernel_read_system_state(nagios_t)
f1e604bb CP	88	kernel_read_kernel_sysctls(nagios_t)
4a7cbfd0	89	kernel_read_software_raid_state(nagios_t)
f1e604bb CP	90
	91	corecmd_exec_bin(nagios_t)
	92	corecmd_exec_shell(nagios_t)
	93
19006686 CP	94	corenet_all_recvfrom_unlabeled(nagios_t)
19006686 CP	95	corenet_all_recvfrom_netlabel(nagios_t)
f1e604bb CP	96	corenet_tcp_sendrecv_generic_if(nagios_t)
f1e604bb CP	97	corenet_udp_sendrecv_generic_if(nagios_t)
c1262146 CP	98	corenet_tcp_sendrecv_generic_node(nagios_t)
c1262146 CP	99	corenet_udp_sendrecv_generic_node(nagios_t)
f1e604bb CP	100	corenet_tcp_sendrecv_all_ports(nagios_t)
f1e604bb CP	101	corenet_udp_sendrecv_all_ports(nagios_t)
02f2c3e9	102	corenet_tcp_connect_all_ports(nagios_t)
f1e604bb	103
99bbe348 JS	104	corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
	105	corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
	106
f1e604bb	107	dev_read_sysfs(nagios_t)
02f2c3e9	108	dev_read_urand(nagios_t)
f1e604bb CP	109
	110	domain_use_interactive_fds(nagios_t)
	111	# for ps
	112	domain_read_all_domains_state(nagios_t)
	113
	114	files_read_etc_files(nagios_t)
	115	files_read_etc_runtime_files(nagios_t)
	116	files_read_kernel_symbol_table(nagios_t)
99bbe348	117	files_search_spool(nagios_t)
3eaa9939	118	files_read_usr_files(nagios_t)
f1e604bb CP	119
	120	fs_getattr_all_fs(nagios_t)
	121	fs_search_auto_mountpoints(nagios_t)
	122
c0cf6e0a CP	123	auth_use_nsswitch(nagios_t)
c0cf6e0a CP	124
f1e604bb CP	125	logging_send_syslog_msg(nagios_t)
	126
	127	miscfiles_read_localization(nagios_t)
	128
f1e604bb	129	userdom_dontaudit_use_unpriv_user_fds(nagios_t)
296273a7	130	userdom_dontaudit_search_user_home_dirs(nagios_t)
f1e604bb CP	131
f1e604bb CP	132	mta_send_mail(nagios_t)
ef98a374 DW	133	mta_signal_system_mail(nagios_t)
ef98a374 DW	134	mta_kill_system_mail(nagios_t)
f1e604bb	135
f1e604bb	136	optional_policy(`
02f2c3e9	137	netutils_kill_ping(nagios_t)
f1e604bb CP	138	')
	139
	140	optional_policy(`
	141	seutil_sigchld_newrole(nagios_t)
	142	')
	143
	144	optional_policy(`
	145	udev_read_db(nagios_t)
	146	')
	147
f1e604bb CP	148	########################################
	149	#
	150	# Nagios CGI local policy
	151	#
68ac47d8	152
7934ac10 CP	153	optional_policy(`
	154	apache_content_template(nagios)
	155	typealias httpd_nagios_script_t alias nagios_cgi_t;
	156	typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
f1e604bb	157
7934ac10	158	allow httpd_nagios_script_t self:process signal_perms;
f1e604bb	159
7934ac10 CP	160	read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
7934ac10 CP	161	read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
f1e604bb	162
7934ac10 CP	163	files_search_spool(httpd_nagios_script_t)
7934ac10 CP	164	rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
f1e604bb	165
7934ac10 CP	166	allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
	167	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
	168	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
f1e604bb	169
7934ac10 CP	170	allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
	171	read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
	172	read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
f1e604bb	173
7934ac10	174	kernel_read_system_state(httpd_nagios_script_t)
f1e604bb	175
7934ac10	176	domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
f1e604bb	177
7934ac10 CP	178	files_read_etc_runtime_files(httpd_nagios_script_t)
7934ac10 CP	179	files_read_kernel_symbol_table(httpd_nagios_script_t)
f1e604bb	180
7934ac10 CP	181	logging_send_syslog_msg(httpd_nagios_script_t)
7934ac10 CP	182	')
06e27756 CP	183
	184	########################################
	185	#
	186	# Nagios remote plugin executor local policy
	187	#
	188
99bbe348	189	allow nrpe_t self:capability { setuid setgid };
18f2a72d	190	dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
99bbe348	191	allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
c0868a7a	192	allow nrpe_t self:fifo_file rw_fifo_file_perms;
99bbe348	193	allow nrpe_t self:tcp_socket create_stream_socket_perms;
06e27756	194
2a3cbbc0 DW	195	read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t)
2a3cbbc0 DW	196
99bbe348 JS	197	domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
	198
	199	read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
06e27756 CP	200	files_search_etc(nrpe_t)
06e27756 CP	201
99bbe348 JS	202	manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
99bbe348 JS	203	files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
99bbe348	204
06e27756 CP	205	kernel_read_system_state(nrpe_t)
	206	kernel_read_kernel_sysctls(nrpe_t)
	207
	208	corecmd_exec_bin(nrpe_t)
	209	corecmd_exec_shell(nrpe_t)
06e27756	210
99bbe348 JS	211	corenet_tcp_bind_generic_node(nrpe_t)
99bbe348 JS	212	corenet_tcp_bind_inetd_child_port(nrpe_t)
a971b6ec DW	213	corenet_all_recvfrom_unlabeled(nrpe_t)
a971b6ec DW	214	corenet_all_recvfrom_netlabel(nrpe_t)
99bbe348	215
06e27756 CP	216	dev_read_sysfs(nrpe_t)
	217	dev_read_urand(nrpe_t)
	218
	219	domain_use_interactive_fds(nrpe_t)
99bbe348	220	domain_read_all_domains_state(nrpe_t)
06e27756 CP	221
06e27756 CP	222	files_read_etc_runtime_files(nrpe_t)
7934ac10	223	files_read_etc_files(nrpe_t)
382acd84	224	files_read_usr_files(nrpe_t)
06e27756	225
99bbe348	226	fs_getattr_all_fs(nrpe_t)
06e27756 CP	227	fs_search_auto_mountpoints(nrpe_t)
06e27756 CP	228
99bbe348 JS	229	auth_use_nsswitch(nrpe_t)
99bbe348 JS	230
06e27756 CP	231	logging_send_syslog_msg(nrpe_t)
	232
	233	miscfiles_read_localization(nrpe_t)
	234
	235	userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
	236
06e27756	237	optional_policy(`
8242f5a6	238	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
06e27756 CP	239	')
06e27756 CP	240
99bbe348 JS	241	optional_policy(`
	242	mta_send_mail(nrpe_t)
	243	')
	244
06e27756	245	optional_policy(`
6073ea1e	246	seutil_sigchld_newrole(nrpe_t)
06e27756 CP	247	')
06e27756 CP	248
8242f5a6 CP	249	optional_policy(`
	250	tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
	251	')
	252
06e27756	253	optional_policy(`
6073ea1e	254	udev_read_db(nrpe_t)
06e27756	255	')
99bbe348 JS	256
	257	#####################################
	258	#
	259	# local policy for admin check plugins
	260	#
	261
	262	corecmd_read_bin_files(nagios_admin_plugin_t)
	263	corecmd_read_bin_symlinks(nagios_admin_plugin_t)
	264
	265	dev_read_urand(nagios_admin_plugin_t)
7934ac10 CP	266	dev_getattr_all_chr_files(nagios_admin_plugin_t)
7934ac10 CP	267	dev_getattr_all_blk_files(nagios_admin_plugin_t)
99bbe348 JS	268
99bbe348 JS	269	files_read_etc_files(nagios_admin_plugin_t)
99bbe348 JS	270	# for check_file_age plugin
	271	files_getattr_all_dirs(nagios_admin_plugin_t)
	272	files_getattr_all_files(nagios_admin_plugin_t)
	273	files_getattr_all_symlinks(nagios_admin_plugin_t)
	274	files_getattr_all_pipes(nagios_admin_plugin_t)
	275	files_getattr_all_sockets(nagios_admin_plugin_t)
	276	files_getattr_all_file_type_fs(nagios_admin_plugin_t)
99bbe348 JS	277
	278	######################################
	279	#
	280	# local policy for mail check plugins
	281	#
	282
	283	allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
99bbe348 JS	284	allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
	285	allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
	286	allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
	287
99bbe348 JS	288	kernel_read_kernel_sysctls(nagios_mail_plugin_t)
	289
	290	corecmd_read_bin_files(nagios_mail_plugin_t)
	291	corecmd_read_bin_symlinks(nagios_mail_plugin_t)
	292
	293	dev_read_urand(nagios_mail_plugin_t)
	294
	295	files_read_etc_files(nagios_mail_plugin_t)
	296
	297	logging_send_syslog_msg(nagios_mail_plugin_t)
	298
	299	sysnet_read_config(nagios_mail_plugin_t)
	300
99bbe348 JS	301	optional_policy(`
	302	mta_send_mail(nagios_mail_plugin_t)
	303	')
	304
7934ac10 CP	305	optional_policy(`
	306	nscd_dontaudit_search_pid(nagios_mail_plugin_t)
	307	')
	308
99bbe348 JS	309	optional_policy(`
99bbe348 JS	310	postfix_stream_connect_master(nagios_mail_plugin_t)
48e3b84f	311	postfix_exec_postqueue(nagios_mail_plugin_t)
99bbe348 JS	312	')
	313
	314	######################################
	315	#
	316	# local policy for disk check plugins
	317	#
	318
	319	# needed by ioctl()
	320	allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
	321
ceacf954 MG	322	kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
ceacf954 MG	323
de863bab	324	files_getattr_all_dirs(nagios_checkdisk_plugin_t)
99bbe348 JS	325	files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
	326
	327	fs_getattr_all_fs(nagios_checkdisk_plugin_t)
	328
	329	storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
	330
	331	#######################################
	332	#
	333	# local policy for service check plugins
	334	#
7934ac10	335
99bbe348 JS	336	allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
99bbe348 JS	337	allow nagios_services_plugin_t self:process { signal sigkill };
99bbe348 JS	338	allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
	339	allow nagios_services_plugin_t self:udp_socket create_socket_perms;
	340
	341	corecmd_exec_bin(nagios_services_plugin_t)
	342
	343	corenet_tcp_connect_all_ports(nagios_services_plugin_t)
	344	corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
	345
	346	auth_use_nsswitch(nagios_services_plugin_t)
	347
	348	domain_read_all_domains_state(nagios_services_plugin_t)
	349
	350	files_read_usr_files(nagios_services_plugin_t)
	351
	352	optional_policy(`
	353	netutils_domtrans_ping(nagios_services_plugin_t)
3eaa9939 DW	354	netutils_signal_ping(nagios_services_plugin_t)
3eaa9939 DW	355	netutils_kill_ping(nagios_services_plugin_t)
99bbe348 JS	356	')
	357
	358	optional_policy(`
	359	mysql_stream_connect(nagios_services_plugin_t)
	360	')
	361
	362	optional_policy(`
	363	snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
	364	')
	365
	366	######################################
	367	#
	368	# local policy for system check plugins
	369	#
	370
	371	allow nagios_system_plugin_t self:capability dac_override;
	372	dontaudit nagios_system_plugin_t self:capability { setuid setgid };
	373
	374	# check_log
	375	manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
	376	manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
	377	files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
	378
99bbe348 JS	379	kernel_read_kernel_sysctls(nagios_system_plugin_t)
99bbe348 JS	380
7934ac10 CP	381	corecmd_exec_bin(nagios_system_plugin_t)
7934ac10 CP	382	corecmd_exec_shell(nagios_system_plugin_t)
99bbe348 JS	383
	384	dev_read_sysfs(nagios_system_plugin_t)
	385	dev_read_urand(nagios_system_plugin_t)
	386
	387	domain_read_all_domains_state(nagios_system_plugin_t)
	388
7934ac10 CP	389	files_read_etc_files(nagios_system_plugin_t)
7934ac10 CP	390
99bbe348 JS	391	# needed by check_users plugin
	392	optional_policy(`
	393	init_read_utmp(nagios_system_plugin_t)
	394	')
7934ac10 CP	395
	396	########################################
	397	#
	398	# Unconfined plugin policy
	399	#
	400
	401	optional_policy(`
	402	unconfined_domain(nagios_unconfined_plugin_t)
	403	')