]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(nagios, 1.10.0) |
f1e604bb CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type nagios_t; | |
9 | type nagios_exec_t; | |
8242f5a6 | 10 | init_daemon_domain(nagios_t, nagios_exec_t) |
f1e604bb | 11 | |
f1e604bb CP |
12 | type nagios_etc_t; |
13 | files_config_file(nagios_etc_t) | |
14 | ||
99bbe348 JS |
15 | type nagios_initrc_exec_t; |
16 | init_script_file(nagios_initrc_exec_t) | |
17 | ||
f1e604bb CP |
18 | type nagios_log_t; |
19 | logging_log_file(nagios_log_t) | |
20 | ||
21 | type nagios_tmp_t; | |
22 | files_tmp_file(nagios_tmp_t) | |
23 | ||
24 | type nagios_var_run_t; | |
25 | files_pid_file(nagios_var_run_t) | |
26 | ||
99bbe348 | 27 | type nagios_spool_t; |
0059652b | 28 | files_spool_file(nagios_spool_t) |
99bbe348 | 29 | |
7087b7c0 DW |
30 | type nagios_var_lib_t; |
31 | files_type(nagios_var_lib_t) | |
32 | ||
99bbe348 JS |
33 | nagios_plugin_template(admin) |
34 | nagios_plugin_template(checkdisk) | |
35 | nagios_plugin_template(mail) | |
36 | nagios_plugin_template(services) | |
37 | nagios_plugin_template(system) | |
7934ac10 | 38 | nagios_plugin_template(unconfined) |
99bbe348 JS |
39 | |
40 | type nagios_system_plugin_tmp_t; | |
41 | files_tmp_file(nagios_system_plugin_tmp_t) | |
42 | ||
06e27756 CP |
43 | type nrpe_t; |
44 | type nrpe_exec_t; | |
8242f5a6 | 45 | init_daemon_domain(nrpe_t, nrpe_exec_t) |
06e27756 CP |
46 | |
47 | type nrpe_etc_t; | |
48 | files_config_file(nrpe_etc_t) | |
49 | ||
99bbe348 JS |
50 | type nrpe_var_run_t; |
51 | files_pid_file(nrpe_var_run_t) | |
52 | ||
f1e604bb CP |
53 | ######################################## |
54 | # | |
55 | # Nagios local policy | |
56 | # | |
57 | ||
58 | allow nagios_t self:capability { dac_override setgid setuid }; | |
59 | dontaudit nagios_t self:capability sys_tty_config; | |
60 | allow nagios_t self:process { setpgid signal_perms }; | |
61 | allow nagios_t self:fifo_file rw_file_perms; | |
62 | allow nagios_t self:tcp_socket create_stream_socket_perms; | |
63 | allow nagios_t self:udp_socket create_socket_perms; | |
64 | ||
8242f5a6 CP |
65 | read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) |
66 | read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) | |
c0868a7a | 67 | allow nagios_t nagios_etc_t:dir list_dir_perms; |
f1e604bb | 68 | |
8242f5a6 CP |
69 | manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t) |
70 | manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t) | |
71 | logging_log_filetrans(nagios_t, nagios_log_t, { file dir }) | |
f1e604bb | 72 | |
8242f5a6 CP |
73 | manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) |
74 | manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) | |
f1e604bb CP |
75 | files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir }) |
76 | ||
8242f5a6 CP |
77 | manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) |
78 | files_pid_filetrans(nagios_t, nagios_var_run_t, file) | |
f1e604bb | 79 | |
99bbe348 JS |
80 | manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) |
81 | files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) | |
82 | ||
7087b7c0 DW |
83 | manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) |
84 | manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) | |
85 | files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file dir }) | |
86 | ||
f1e604bb CP |
87 | kernel_read_system_state(nagios_t) |
88 | kernel_read_kernel_sysctls(nagios_t) | |
4a7cbfd0 | 89 | kernel_read_software_raid_state(nagios_t) |
f1e604bb CP |
90 | |
91 | corecmd_exec_bin(nagios_t) | |
92 | corecmd_exec_shell(nagios_t) | |
93 | ||
19006686 CP |
94 | corenet_all_recvfrom_unlabeled(nagios_t) |
95 | corenet_all_recvfrom_netlabel(nagios_t) | |
f1e604bb CP |
96 | corenet_tcp_sendrecv_generic_if(nagios_t) |
97 | corenet_udp_sendrecv_generic_if(nagios_t) | |
c1262146 CP |
98 | corenet_tcp_sendrecv_generic_node(nagios_t) |
99 | corenet_udp_sendrecv_generic_node(nagios_t) | |
f1e604bb CP |
100 | corenet_tcp_sendrecv_all_ports(nagios_t) |
101 | corenet_udp_sendrecv_all_ports(nagios_t) | |
02f2c3e9 | 102 | corenet_tcp_connect_all_ports(nagios_t) |
f1e604bb | 103 | |
99bbe348 JS |
104 | corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) |
105 | corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) | |
106 | ||
f1e604bb | 107 | dev_read_sysfs(nagios_t) |
02f2c3e9 | 108 | dev_read_urand(nagios_t) |
f1e604bb CP |
109 | |
110 | domain_use_interactive_fds(nagios_t) | |
111 | # for ps | |
112 | domain_read_all_domains_state(nagios_t) | |
113 | ||
114 | files_read_etc_files(nagios_t) | |
115 | files_read_etc_runtime_files(nagios_t) | |
116 | files_read_kernel_symbol_table(nagios_t) | |
99bbe348 | 117 | files_search_spool(nagios_t) |
3eaa9939 | 118 | files_read_usr_files(nagios_t) |
f1e604bb CP |
119 | |
120 | fs_getattr_all_fs(nagios_t) | |
121 | fs_search_auto_mountpoints(nagios_t) | |
122 | ||
c0cf6e0a CP |
123 | auth_use_nsswitch(nagios_t) |
124 | ||
f1e604bb CP |
125 | logging_send_syslog_msg(nagios_t) |
126 | ||
127 | miscfiles_read_localization(nagios_t) | |
128 | ||
f1e604bb | 129 | userdom_dontaudit_use_unpriv_user_fds(nagios_t) |
296273a7 | 130 | userdom_dontaudit_search_user_home_dirs(nagios_t) |
f1e604bb CP |
131 | |
132 | mta_send_mail(nagios_t) | |
ef98a374 DW |
133 | mta_signal_system_mail(nagios_t) |
134 | mta_kill_system_mail(nagios_t) | |
f1e604bb | 135 | |
f1e604bb | 136 | optional_policy(` |
02f2c3e9 | 137 | netutils_kill_ping(nagios_t) |
f1e604bb CP |
138 | ') |
139 | ||
140 | optional_policy(` | |
141 | seutil_sigchld_newrole(nagios_t) | |
142 | ') | |
143 | ||
144 | optional_policy(` | |
145 | udev_read_db(nagios_t) | |
146 | ') | |
147 | ||
f1e604bb CP |
148 | ######################################## |
149 | # | |
150 | # Nagios CGI local policy | |
151 | # | |
68ac47d8 | 152 | |
7934ac10 CP |
153 | optional_policy(` |
154 | apache_content_template(nagios) | |
155 | typealias httpd_nagios_script_t alias nagios_cgi_t; | |
156 | typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; | |
f1e604bb | 157 | |
7934ac10 | 158 | allow httpd_nagios_script_t self:process signal_perms; |
f1e604bb | 159 | |
7934ac10 CP |
160 | read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) |
161 | read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) | |
f1e604bb | 162 | |
7934ac10 CP |
163 | files_search_spool(httpd_nagios_script_t) |
164 | rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) | |
f1e604bb | 165 | |
7934ac10 CP |
166 | allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; |
167 | read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) | |
168 | read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) | |
f1e604bb | 169 | |
7934ac10 CP |
170 | allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; |
171 | read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) | |
172 | read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) | |
f1e604bb | 173 | |
7934ac10 | 174 | kernel_read_system_state(httpd_nagios_script_t) |
f1e604bb | 175 | |
7934ac10 | 176 | domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) |
f1e604bb | 177 | |
7934ac10 CP |
178 | files_read_etc_runtime_files(httpd_nagios_script_t) |
179 | files_read_kernel_symbol_table(httpd_nagios_script_t) | |
f1e604bb | 180 | |
7934ac10 CP |
181 | logging_send_syslog_msg(httpd_nagios_script_t) |
182 | ') | |
06e27756 CP |
183 | |
184 | ######################################## | |
185 | # | |
186 | # Nagios remote plugin executor local policy | |
187 | # | |
188 | ||
99bbe348 | 189 | allow nrpe_t self:capability { setuid setgid }; |
18f2a72d | 190 | dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; |
99bbe348 | 191 | allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; |
c0868a7a | 192 | allow nrpe_t self:fifo_file rw_fifo_file_perms; |
99bbe348 | 193 | allow nrpe_t self:tcp_socket create_stream_socket_perms; |
06e27756 | 194 | |
2a3cbbc0 DW |
195 | read_files_pattern(nrpe_t, nrpe_etc_t, nrpe_etc_t) |
196 | ||
99bbe348 JS |
197 | domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) |
198 | ||
199 | read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) | |
06e27756 CP |
200 | files_search_etc(nrpe_t) |
201 | ||
99bbe348 JS |
202 | manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) |
203 | files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) | |
99bbe348 | 204 | |
06e27756 CP |
205 | kernel_read_system_state(nrpe_t) |
206 | kernel_read_kernel_sysctls(nrpe_t) | |
207 | ||
208 | corecmd_exec_bin(nrpe_t) | |
209 | corecmd_exec_shell(nrpe_t) | |
06e27756 | 210 | |
99bbe348 JS |
211 | corenet_tcp_bind_generic_node(nrpe_t) |
212 | corenet_tcp_bind_inetd_child_port(nrpe_t) | |
a971b6ec DW |
213 | corenet_all_recvfrom_unlabeled(nrpe_t) |
214 | corenet_all_recvfrom_netlabel(nrpe_t) | |
99bbe348 | 215 | |
06e27756 CP |
216 | dev_read_sysfs(nrpe_t) |
217 | dev_read_urand(nrpe_t) | |
218 | ||
219 | domain_use_interactive_fds(nrpe_t) | |
99bbe348 | 220 | domain_read_all_domains_state(nrpe_t) |
06e27756 CP |
221 | |
222 | files_read_etc_runtime_files(nrpe_t) | |
7934ac10 | 223 | files_read_etc_files(nrpe_t) |
382acd84 | 224 | files_read_usr_files(nrpe_t) |
06e27756 | 225 | |
99bbe348 | 226 | fs_getattr_all_fs(nrpe_t) |
06e27756 CP |
227 | fs_search_auto_mountpoints(nrpe_t) |
228 | ||
99bbe348 JS |
229 | auth_use_nsswitch(nrpe_t) |
230 | ||
06e27756 CP |
231 | logging_send_syslog_msg(nrpe_t) |
232 | ||
233 | miscfiles_read_localization(nrpe_t) | |
234 | ||
235 | userdom_dontaudit_use_unpriv_user_fds(nrpe_t) | |
236 | ||
06e27756 | 237 | optional_policy(` |
8242f5a6 | 238 | inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) |
06e27756 CP |
239 | ') |
240 | ||
99bbe348 JS |
241 | optional_policy(` |
242 | mta_send_mail(nrpe_t) | |
243 | ') | |
244 | ||
06e27756 | 245 | optional_policy(` |
6073ea1e | 246 | seutil_sigchld_newrole(nrpe_t) |
06e27756 CP |
247 | ') |
248 | ||
8242f5a6 CP |
249 | optional_policy(` |
250 | tcpd_wrapped_domain(nrpe_t, nrpe_exec_t) | |
251 | ') | |
252 | ||
06e27756 | 253 | optional_policy(` |
6073ea1e | 254 | udev_read_db(nrpe_t) |
06e27756 | 255 | ') |
99bbe348 JS |
256 | |
257 | ##################################### | |
258 | # | |
259 | # local policy for admin check plugins | |
260 | # | |
261 | ||
262 | corecmd_read_bin_files(nagios_admin_plugin_t) | |
263 | corecmd_read_bin_symlinks(nagios_admin_plugin_t) | |
264 | ||
265 | dev_read_urand(nagios_admin_plugin_t) | |
7934ac10 CP |
266 | dev_getattr_all_chr_files(nagios_admin_plugin_t) |
267 | dev_getattr_all_blk_files(nagios_admin_plugin_t) | |
99bbe348 JS |
268 | |
269 | files_read_etc_files(nagios_admin_plugin_t) | |
99bbe348 JS |
270 | # for check_file_age plugin |
271 | files_getattr_all_dirs(nagios_admin_plugin_t) | |
272 | files_getattr_all_files(nagios_admin_plugin_t) | |
273 | files_getattr_all_symlinks(nagios_admin_plugin_t) | |
274 | files_getattr_all_pipes(nagios_admin_plugin_t) | |
275 | files_getattr_all_sockets(nagios_admin_plugin_t) | |
276 | files_getattr_all_file_type_fs(nagios_admin_plugin_t) | |
99bbe348 JS |
277 | |
278 | ###################################### | |
279 | # | |
280 | # local policy for mail check plugins | |
281 | # | |
282 | ||
283 | allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; | |
99bbe348 JS |
284 | allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; |
285 | allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; | |
286 | allow nagios_mail_plugin_t self:udp_socket create_socket_perms; | |
287 | ||
99bbe348 JS |
288 | kernel_read_kernel_sysctls(nagios_mail_plugin_t) |
289 | ||
290 | corecmd_read_bin_files(nagios_mail_plugin_t) | |
291 | corecmd_read_bin_symlinks(nagios_mail_plugin_t) | |
292 | ||
293 | dev_read_urand(nagios_mail_plugin_t) | |
294 | ||
295 | files_read_etc_files(nagios_mail_plugin_t) | |
296 | ||
297 | logging_send_syslog_msg(nagios_mail_plugin_t) | |
298 | ||
299 | sysnet_read_config(nagios_mail_plugin_t) | |
300 | ||
99bbe348 JS |
301 | optional_policy(` |
302 | mta_send_mail(nagios_mail_plugin_t) | |
303 | ') | |
304 | ||
7934ac10 CP |
305 | optional_policy(` |
306 | nscd_dontaudit_search_pid(nagios_mail_plugin_t) | |
307 | ') | |
308 | ||
99bbe348 JS |
309 | optional_policy(` |
310 | postfix_stream_connect_master(nagios_mail_plugin_t) | |
48e3b84f | 311 | postfix_exec_postqueue(nagios_mail_plugin_t) |
99bbe348 JS |
312 | ') |
313 | ||
314 | ###################################### | |
315 | # | |
316 | # local policy for disk check plugins | |
317 | # | |
318 | ||
319 | # needed by ioctl() | |
320 | allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; | |
321 | ||
ceacf954 MG |
322 | kernel_read_software_raid_state(nagios_checkdisk_plugin_t) |
323 | ||
de863bab | 324 | files_getattr_all_dirs(nagios_checkdisk_plugin_t) |
99bbe348 JS |
325 | files_read_etc_runtime_files(nagios_checkdisk_plugin_t) |
326 | ||
327 | fs_getattr_all_fs(nagios_checkdisk_plugin_t) | |
328 | ||
329 | storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) | |
330 | ||
331 | ####################################### | |
332 | # | |
333 | # local policy for service check plugins | |
334 | # | |
7934ac10 | 335 | |
99bbe348 JS |
336 | allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; |
337 | allow nagios_services_plugin_t self:process { signal sigkill }; | |
99bbe348 JS |
338 | allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; |
339 | allow nagios_services_plugin_t self:udp_socket create_socket_perms; | |
340 | ||
341 | corecmd_exec_bin(nagios_services_plugin_t) | |
342 | ||
343 | corenet_tcp_connect_all_ports(nagios_services_plugin_t) | |
344 | corenet_udp_bind_dhcpc_port(nagios_services_plugin_t) | |
345 | ||
346 | auth_use_nsswitch(nagios_services_plugin_t) | |
347 | ||
348 | domain_read_all_domains_state(nagios_services_plugin_t) | |
349 | ||
350 | files_read_usr_files(nagios_services_plugin_t) | |
351 | ||
352 | optional_policy(` | |
353 | netutils_domtrans_ping(nagios_services_plugin_t) | |
3eaa9939 DW |
354 | netutils_signal_ping(nagios_services_plugin_t) |
355 | netutils_kill_ping(nagios_services_plugin_t) | |
99bbe348 JS |
356 | ') |
357 | ||
358 | optional_policy(` | |
359 | mysql_stream_connect(nagios_services_plugin_t) | |
360 | ') | |
361 | ||
362 | optional_policy(` | |
363 | snmp_read_snmp_var_lib_files(nagios_services_plugin_t) | |
364 | ') | |
365 | ||
366 | ###################################### | |
367 | # | |
368 | # local policy for system check plugins | |
369 | # | |
370 | ||
371 | allow nagios_system_plugin_t self:capability dac_override; | |
372 | dontaudit nagios_system_plugin_t self:capability { setuid setgid }; | |
373 | ||
374 | # check_log | |
375 | manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) | |
376 | manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) | |
377 | files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) | |
378 | ||
99bbe348 JS |
379 | kernel_read_kernel_sysctls(nagios_system_plugin_t) |
380 | ||
7934ac10 CP |
381 | corecmd_exec_bin(nagios_system_plugin_t) |
382 | corecmd_exec_shell(nagios_system_plugin_t) | |
99bbe348 JS |
383 | |
384 | dev_read_sysfs(nagios_system_plugin_t) | |
385 | dev_read_urand(nagios_system_plugin_t) | |
386 | ||
387 | domain_read_all_domains_state(nagios_system_plugin_t) | |
388 | ||
7934ac10 CP |
389 | files_read_etc_files(nagios_system_plugin_t) |
390 | ||
99bbe348 JS |
391 | # needed by check_users plugin |
392 | optional_policy(` | |
393 | init_read_utmp(nagios_system_plugin_t) | |
394 | ') | |
7934ac10 CP |
395 | |
396 | ######################################## | |
397 | # | |
398 | # Unconfined plugin policy | |
399 | # | |
400 | ||
401 | optional_policy(` | |
402 | unconfined_domain(nagios_unconfined_plugin_t) | |
403 | ') |