[people/stevee/selinux-policy.git] / policy / modules / services / nagios.te


policy_module(nagios,1.2.1)

########################################
#
# Declarations
#

type nagios_t;
type nagios_exec_t;
init_daemon_domain(nagios_t,nagios_exec_t)

type nagios_cgi_t;
type nagios_cgi_exec_t;
init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)

type nagios_etc_t;
files_config_file(nagios_etc_t)

type nagios_log_t;
logging_log_file(nagios_log_t)

type nagios_tmp_t;
files_tmp_file(nagios_tmp_t)

type nagios_var_run_t;
files_pid_file(nagios_var_run_t)

type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t,nrpe_exec_t)

type nrpe_etc_t;
files_config_file(nrpe_etc_t)

########################################
#
# Nagios local policy
#

allow nagios_t self:capability { dac_override setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;

read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;

manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })

manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })

manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
files_pid_filetrans(nagios_t,nagios_var_run_t,file)

kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)

corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)

corenet_non_ipsec_sendrecv(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_all_nodes(nagios_t)
corenet_udp_sendrecv_all_nodes(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)

dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)

domain_use_interactive_fds(nagios_t)
# for ps
domain_read_all_domains_state(nagios_t)

files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)

fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)

# for who
init_read_utmp(nagios_t)

libs_use_ld_so(nagios_t)
libs_use_shared_libs(nagios_t)

logging_send_syslog_msg(nagios_t)

miscfiles_read_localization(nagios_t)

userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_sysadm_home_dirs(nagios_t)

mta_send_mail(nagios_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(nagios_t)
	term_dontaudit_use_generic_ptys(nagios_t)
	files_dontaudit_read_root_files(nagios_t)
')

optional_policy(`
	auth_use_nsswitch(nagios_t)
')

optional_policy(`
	netutils_domtrans_ping(nagios_t)
	netutils_signal_ping(nagios_t)
	netutils_kill_ping(nagios_t)
')

optional_policy(`
	seutil_sigchld_newrole(nagios_t)
')

optional_policy(`
	udev_read_db(nagios_t)
')

# cjp: leaked file descriptors:
# for open file handles
#dontaudit system_mail_t nagios_etc_t:file read;
#dontaudit system_mail_t nagios_log_t:fifo_file read;

########################################
#
# Nagios CGI local policy
#

allow nagios_cgi_t self:process signal_perms;
allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)

allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)

allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)

kernel_read_system_state(nagios_cgi_t)

corecmd_exec_bin(nagios_cgi_t)

domain_dontaudit_read_all_domains_state(nagios_cgi_t)

files_read_etc_files(nagios_cgi_t)
files_read_etc_runtime_files(nagios_cgi_t)
files_read_kernel_symbol_table(nagios_cgi_t)

libs_use_ld_so(nagios_cgi_t)
libs_use_shared_libs(nagios_cgi_t)

logging_send_syslog_msg(nagios_cgi_t)
logging_search_logs(nagios_cgi_t)

miscfiles_read_localization(nagios_cgi_t)

optional_policy(`
	apache_append_log(nagios_cgi_t)
')

########################################
#
# Nagios remote plugin executor local policy
#

dontaudit nrpe_t self:capability sys_tty_config;
allow nrpe_t self:process { setpgid signal_perms };
allow nrpe_t self:fifo_file rw_fifo_file_perms;

allow nrpe_t nrpe_etc_t:file { getattr read };
files_search_etc(nrpe_t)

kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)

corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)

dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)

domain_use_interactive_fds(nrpe_t)

files_read_etc_runtime_files(nrpe_t)

fs_search_auto_mountpoints(nrpe_t)

libs_use_ld_so(nrpe_t)
libs_use_shared_libs(nrpe_t)

logging_send_syslog_msg(nrpe_t)

miscfiles_read_localization(nrpe_t)

userdom_dontaudit_use_unpriv_user_fds(nrpe_t)

ifdef(`targeted_policy',`
        term_dontaudit_use_unallocated_ttys(nrpe_t)
        term_dontaudit_use_generic_ptys(nrpe_t)
        files_dontaudit_read_root_files(nrpe_t)
')

optional_policy(`
	inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
')

optional_policy(`
        seutil_sigchld_newrole(nrpe_t)
')

optional_policy(`
        udev_read_db(nrpe_t)
')
Commit	Line	Data
f1e604bb	1
02f2c3e9	2	policy_module(nagios,1.2.1)
f1e604bb CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type nagios_t;
	10	type nagios_exec_t;
	11	init_daemon_domain(nagios_t,nagios_exec_t)
	12
	13	type nagios_cgi_t;
	14	type nagios_cgi_exec_t;
	15	init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
	16
	17	type nagios_etc_t;
	18	files_config_file(nagios_etc_t)
	19
	20	type nagios_log_t;
	21	logging_log_file(nagios_log_t)
	22
	23	type nagios_tmp_t;
	24	files_tmp_file(nagios_tmp_t)
	25
	26	type nagios_var_run_t;
	27	files_pid_file(nagios_var_run_t)
	28
06e27756 CP	29	type nrpe_t;
	30	type nrpe_exec_t;
	31	init_daemon_domain(nrpe_t,nrpe_exec_t)
	32
	33	type nrpe_etc_t;
	34	files_config_file(nrpe_etc_t)
	35
f1e604bb CP	36	########################################
	37	#
	38	# Nagios local policy
	39	#
	40
	41	allow nagios_t self:capability { dac_override setgid setuid };
	42	dontaudit nagios_t self:capability sys_tty_config;
	43	allow nagios_t self:process { setpgid signal_perms };
	44	allow nagios_t self:fifo_file rw_file_perms;
	45	allow nagios_t self:tcp_socket create_stream_socket_perms;
	46	allow nagios_t self:udp_socket create_socket_perms;
	47
c0868a7a CP	48	read_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
	49	read_lnk_files_pattern(nagios_t,nagios_etc_t,nagios_etc_t)
	50	allow nagios_t nagios_etc_t:dir list_dir_perms;
f1e604bb	51
c0868a7a CP	52	manage_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
c0868a7a CP	53	manage_fifo_files_pattern(nagios_t,nagios_log_t,nagios_log_t)
f1e604bb CP	54	logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
f1e604bb CP	55
c0868a7a CP	56	manage_dirs_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
c0868a7a CP	57	manage_files_pattern(nagios_t,nagios_tmp_t,nagios_tmp_t)
f1e604bb CP	58	files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
f1e604bb CP	59
c0868a7a	60	manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t)
f1e604bb CP	61	files_pid_filetrans(nagios_t,nagios_var_run_t,file)
	62
	63	kernel_read_system_state(nagios_t)
	64	kernel_read_kernel_sysctls(nagios_t)
	65
	66	corecmd_exec_bin(nagios_t)
	67	corecmd_exec_shell(nagios_t)
	68
141cffdd	69	corenet_non_ipsec_sendrecv(nagios_t)
f1e604bb CP	70	corenet_tcp_sendrecv_generic_if(nagios_t)
f1e604bb CP	71	corenet_udp_sendrecv_generic_if(nagios_t)
f1e604bb CP	72	corenet_tcp_sendrecv_all_nodes(nagios_t)
f1e604bb CP	73	corenet_udp_sendrecv_all_nodes(nagios_t)
f1e604bb CP	74	corenet_tcp_sendrecv_all_ports(nagios_t)
f1e604bb CP	75	corenet_udp_sendrecv_all_ports(nagios_t)
02f2c3e9	76	corenet_tcp_connect_all_ports(nagios_t)
f1e604bb CP	77
f1e604bb CP	78	dev_read_sysfs(nagios_t)
02f2c3e9	79	dev_read_urand(nagios_t)
f1e604bb CP	80
	81	domain_use_interactive_fds(nagios_t)
	82	# for ps
	83	domain_read_all_domains_state(nagios_t)
	84
	85	files_read_etc_files(nagios_t)
	86	files_read_etc_runtime_files(nagios_t)
	87	files_read_kernel_symbol_table(nagios_t)
	88
	89	fs_getattr_all_fs(nagios_t)
	90	fs_search_auto_mountpoints(nagios_t)
	91
f1e604bb CP	92	# for who
	93	init_read_utmp(nagios_t)
	94
	95	libs_use_ld_so(nagios_t)
	96	libs_use_shared_libs(nagios_t)
	97
	98	logging_send_syslog_msg(nagios_t)
	99
	100	miscfiles_read_localization(nagios_t)
	101
f1e604bb CP	102	userdom_dontaudit_use_unpriv_user_fds(nagios_t)
	103	userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
	104
	105	mta_send_mail(nagios_t)
	106
	107	ifdef(`targeted_policy',`
	108	term_dontaudit_use_unallocated_ttys(nagios_t)
	109	term_dontaudit_use_generic_ptys(nagios_t)
	110	files_dontaudit_read_root_files(nagios_t)
	111	')
	112
	113	optional_policy(`
02f2c3e9	114	auth_use_nsswitch(nagios_t)
f1e604bb CP	115	')
	116
	117	optional_policy(`
02f2c3e9 CP	118	netutils_domtrans_ping(nagios_t)
	119	netutils_signal_ping(nagios_t)
	120	netutils_kill_ping(nagios_t)
f1e604bb CP	121	')
	122
	123	optional_policy(`
	124	seutil_sigchld_newrole(nagios_t)
	125	')
	126
	127	optional_policy(`
	128	udev_read_db(nagios_t)
	129	')
	130
	131	# cjp: leaked file descriptors:
	132	# for open file handles
	133	#dontaudit system_mail_t nagios_etc_t:file read;
	134	#dontaudit system_mail_t nagios_log_t:fifo_file read;
	135
	136	########################################
	137	#
	138	# Nagios CGI local policy
	139	#
	140
c0868a7a CP	141	allow nagios_cgi_t self:process signal_perms;
c0868a7a CP	142	allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
f1e604bb	143
c0868a7a CP	144	read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
c0868a7a CP	145	read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
f1e604bb	146
c0868a7a CP	147	allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
	148	read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
	149	read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
f1e604bb	150
c0868a7a CP	151	allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
	152	read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
	153	read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
f1e604bb CP	154
	155	kernel_read_system_state(nagios_cgi_t)
	156
	157	corecmd_exec_bin(nagios_cgi_t)
	158
	159	domain_dontaudit_read_all_domains_state(nagios_cgi_t)
	160
	161	files_read_etc_files(nagios_cgi_t)
	162	files_read_etc_runtime_files(nagios_cgi_t)
	163	files_read_kernel_symbol_table(nagios_cgi_t)
	164
	165	libs_use_ld_so(nagios_cgi_t)
	166	libs_use_shared_libs(nagios_cgi_t)
	167
	168	logging_send_syslog_msg(nagios_cgi_t)
	169	logging_search_logs(nagios_cgi_t)
	170
	171	miscfiles_read_localization(nagios_cgi_t)
	172
	173	optional_policy(`
	174	apache_append_log(nagios_cgi_t)
	175	')
06e27756 CP	176
	177	########################################
	178	#
	179	# Nagios remote plugin executor local policy
	180	#
	181
	182	dontaudit nrpe_t self:capability sys_tty_config;
	183	allow nrpe_t self:process { setpgid signal_perms };
c0868a7a	184	allow nrpe_t self:fifo_file rw_fifo_file_perms;
06e27756 CP	185
	186	allow nrpe_t nrpe_etc_t:file { getattr read };
	187	files_search_etc(nrpe_t)
	188
	189	kernel_read_system_state(nrpe_t)
	190	kernel_read_kernel_sysctls(nrpe_t)
	191
	192	corecmd_exec_bin(nrpe_t)
	193	corecmd_exec_shell(nrpe_t)
06e27756 CP	194
	195	dev_read_sysfs(nrpe_t)
	196	dev_read_urand(nrpe_t)
	197
	198	domain_use_interactive_fds(nrpe_t)
	199
	200	files_read_etc_runtime_files(nrpe_t)
	201
	202	fs_search_auto_mountpoints(nrpe_t)
	203
06e27756 CP	204	libs_use_ld_so(nrpe_t)
	205	libs_use_shared_libs(nrpe_t)
	206
	207	logging_send_syslog_msg(nrpe_t)
	208
	209	miscfiles_read_localization(nrpe_t)
	210
	211	userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
	212
	213	ifdef(`targeted_policy',`
	214	term_dontaudit_use_unallocated_ttys(nrpe_t)
	215	term_dontaudit_use_generic_ptys(nrpe_t)
	216	files_dontaudit_read_root_files(nrpe_t)
	217	')
	218
	219	optional_policy(`
	220	inetd_tcp_service_domain(nrpe_t,nrpe_exec_t)
	221	')
	222
	223	optional_policy(`
	224	seutil_sigchld_newrole(nrpe_t)
	225	')
	226
	227	optional_policy(`
	228	udev_read_db(nrpe_t)
	229	')