policy/modules/services/nagios.if

   1 ## <summary>Net Saint / NAGIOS - network monitoring server</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Create a set of derived types for various
   6 ##      nagios plugins,
   7 ## </summary>
   8 ## <param name="plugins_group_name">
   9 ##      <summary>
  10 ##      The name to be used for deriving type names.
  11 ##      </summary>
  12 ## </param>
  13 #
  14 template(`nagios_plugin_template',`
  15         gen_require(`
  16                 type nagios_t, nrpe_t, nagios_log_t;
  17         ')
  18
  19         type nagios_$1_plugin_t;
  20         type nagios_$1_plugin_exec_t;
  21         application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
  22         role system_r types nagios_$1_plugin_t;
  23
  24         allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
  25
  26         domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
  27         allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
  28
  29         # needed by command.cfg
  30         domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
  31         allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
  32
  33         allow nagios_t nagios_$1_plugin_t:process signal_perms;
  34
  35         # cjp: leaked file descriptor
  36         dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
  37         dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
  38
  39         # FIXME
  40         # Probably add nagios_plugin_domain attribute
  41         kernel_read_system_state(nagios_$1_plugin_t)
  42
  43         files_read_usr_files(nagios_$1_plugin_t)
  44
  45         miscfiles_read_localization(nagios_$1_plugin_t)
  46 ')
  47
  48 ########################################
  49 ## <summary>
  50 ##      Do not audit attempts to read or write nagios
  51 ##      unnamed pipes.
  52 ## </summary>
  53 ## <param name="domain">
  54 ##      <summary>
  55 ##      Domain to not audit.
  56 ##      </summary>
  57 ## </param>
  58 #
  59 interface(`nagios_dontaudit_rw_pipes',`
  60         gen_require(`
  61                 type nagios_t;
  62         ')
  63
  64         dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
  65 ')
  66
  67 ########################################
  68 ## <summary>
  69 ##      Allow the specified domain to read
  70 ##      nagios configuration files.
  71 ## </summary>
  72 ## <param name="domain">
  73 ##      <summary>
  74 ##      Domain allowed access.
  75 ##      </summary>
  76 ## </param>
  77 ## <rolecap/>
  78 #
  79 interface(`nagios_read_config',`
  80         gen_require(`
  81                 type nagios_etc_t;
  82         ')
  83
  84         allow $1 nagios_etc_t:dir list_dir_perms;
  85         allow $1 nagios_etc_t:file read_file_perms;
  86         files_search_etc($1)
  87 ')
  88
  89 ######################################
  90 ## <summary>
  91 ##      Read nagios logs.
  92 ## </summary>
  93 ## <param name="domain">
  94 ##      <summary>
  95 ##      Domain allowed access.
  96 ##      </summary>
  97 ## </param>
  98 #
  99 interface(`nagios_read_log',`
 100         gen_require(`
 101                 type nagios_log_t;
 102         ')
 103
 104         logging_search_logs($1)
 105         read_files_pattern($1, nagios_log_t, nagios_log_t)
 106 ')
 107
 108 ########################################
 109 ## <summary>
 110 ##      Do not audit attempts to read or write nagios logs.
 111 ## </summary>
 112 ## <param name="domain">
 113 ##      <summary>
 114 ##      Domain to not audit.
 115 ##      </summary>
 116 ## </param>
 117 #
 118 interface(`nagios_dontaudit_rw_log',`
 119         gen_require(`
 120                 type nagios_log_t;
 121         ')
 122
 123         dontaudit $1 nagios_log_t:file rw_file_perms;
 124 ')
 125
 126 ########################################
 127 ## <summary>
 128 ##      Search nagios spool directories.
 129 ## </summary>
 130 ## <param name="domain">
 131 ##      <summary>
 132 ##      Domain allowed access.
 133 ##      </summary>
 134 ## </param>
 135 #
 136 interface(`nagios_search_spool',`
 137         gen_require(`
 138                 type nagios_spool_t;
 139         ')
 140
 141         allow $1 nagios_spool_t:dir search_dir_perms;
 142         files_search_spool($1)
 143 ')
 144
 145 ########################################
 146 ## <summary>
 147 ##      Allow the specified domain to read
 148 ##      nagios temporary files.
 149 ## </summary>
 150 ## <param name="domain">
 151 ##      <summary>
 152 ##      Domain allowed access.
 153 ##      </summary>
 154 ## </param>
 155 #
 156 interface(`nagios_read_tmp_files',`
 157         gen_require(`
 158                 type nagios_tmp_t;
 159         ')
 160
 161         allow $1 nagios_tmp_t:file read_file_perms;
 162         files_search_tmp($1)
 163 ')
 164
 165 ########################################
 166 ## <summary>
 167 ##      Allow the specified domain to read
 168 ##      nagios temporary files.
 169 ## </summary>
 170 ## <param name="domain">
 171 ##      <summary>
 172 ##      Domain allowed access.
 173 ##      </summary>
 174 ## </param>
 175 #
 176 interface(`nagios_rw_inerited_tmp_files',`
 177         gen_require(`
 178                 type nagios_tmp_t;
 179         ')
 180
 181         allow $1 nagios_tmp_t:file rw_inherited_file_perms;
 182         files_search_tmp($1)
 183 ')
 184
 185 ########################################
 186 ## <summary>
 187 ##      Execute the nagios NRPE with
 188 ##      a domain transition.
 189 ## </summary>
 190 ## <param name="domain">
 191 ##      <summary>
 192 ##      Domain allowed to transition.
 193 ##      </summary>
 194 ## </param>
 195 #
 196 interface(`nagios_domtrans_nrpe',`
 197         gen_require(`
 198                 type nrpe_t, nrpe_exec_t;
 199         ')
 200
 201         domtrans_pattern($1, nrpe_exec_t, nrpe_t)
 202 ')
 203
 204 ########################################
 205 ## <summary>
 206 ##      All of the rules required to administrate
 207 ##      an nagios environment
 208 ## </summary>
 209 ## <param name="domain">
 210 ##      <summary>
 211 ##      Domain allowed access.
 212 ##      </summary>
 213 ## </param>
 214 ## <param name="role">
 215 ##      <summary>
 216 ##      The role to be allowed to manage the nagios domain.
 217 ##      </summary>
 218 ## </param>
 219 ## <rolecap/>
 220 #
 221 interface(`nagios_admin',`
 222         gen_require(`
 223                 type nagios_t, nrpe_t, nagios_initrc_exec_t;
 224                 type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
 225                 type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
 226         ')
 227
 228         allow $1 nagios_t:process signal_perms;
 229         ps_process_pattern($1, nagios_t)
 230         tunable_policy(`deny_ptrace',`',`
 231                 allow $1 nagios_t:process ptrace;
 232         ')
 233
 234         init_labeled_script_domtrans($1, nagios_initrc_exec_t)
 235         domain_system_change_exemption($1)
 236         role_transition $2 nagios_initrc_exec_t system_r;
 237         allow $2 system_r;
 238
 239         files_list_tmp($1)
 240         admin_pattern($1, nagios_tmp_t)
 241
 242         logging_list_logs($1)
 243         admin_pattern($1, nagios_log_t)
 244
 245         files_list_etc($1)
 246         admin_pattern($1, nagios_etc_t)
 247
 248         files_list_spool($1)
 249         admin_pattern($1, nagios_spool_t)
 250
 251         files_list_pids($1)
 252         admin_pattern($1, nagios_var_run_t)
 253
 254         admin_pattern($1, nrpe_etc_t)
 255 ')