1 ## <summary>Net Saint / NAGIOS - network monitoring server</summary>
3 ########################################
5 ## Create a set of derived types for various
8 ## <param name="plugins_group_name">
10 ## The name to be used for deriving type names.
14 template(`nagios_plugin_template',`
16 type nagios_t, nrpe_t, nagios_log_t;
19 type nagios_$1_plugin_t;
20 type nagios_$1_plugin_exec_t;
21 application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
22 role system_r types nagios_$1_plugin_t;
24 allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
26 domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
27 allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
29 # needed by command.cfg
30 domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
31 allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
33 allow nagios_t nagios_$1_plugin_t:process signal_perms;
35 # cjp: leaked file descriptor
36 dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
37 dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
40 # Probably add nagios_plugin_domain attribute
41 kernel_read_system_state(nagios_$1_plugin_t)
43 files_read_usr_files(nagios_$1_plugin_t)
45 miscfiles_read_localization(nagios_$1_plugin_t)
48 ########################################
50 ## Do not audit attempts to read or write nagios
53 ## <param name="domain">
55 ## Domain to not audit.
59 interface(`nagios_dontaudit_rw_pipes',`
64 dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
67 ########################################
69 ## Allow the specified domain to read
70 ## nagios configuration files.
72 ## <param name="domain">
74 ## Domain allowed access.
79 interface(`nagios_read_config',`
84 allow $1 nagios_etc_t:dir list_dir_perms;
85 allow $1 nagios_etc_t:file read_file_perms;
89 ######################################
93 ## <param name="domain">
95 ## Domain allowed access.
99 interface(`nagios_read_log',`
104 logging_search_logs($1)
105 read_files_pattern($1, nagios_log_t, nagios_log_t)
108 ########################################
110 ## Do not audit attempts to read or write nagios logs.
112 ## <param name="domain">
114 ## Domain to not audit.
118 interface(`nagios_dontaudit_rw_log',`
123 dontaudit $1 nagios_log_t:file rw_file_perms;
126 ########################################
128 ## Search nagios spool directories.
130 ## <param name="domain">
132 ## Domain allowed access.
136 interface(`nagios_search_spool',`
141 allow $1 nagios_spool_t:dir search_dir_perms;
142 files_search_spool($1)
145 ########################################
147 ## Allow the specified domain to read
148 ## nagios temporary files.
150 ## <param name="domain">
152 ## Domain allowed access.
156 interface(`nagios_read_tmp_files',`
161 allow $1 nagios_tmp_t:file read_file_perms;
165 ########################################
167 ## Allow the specified domain to read
168 ## nagios temporary files.
170 ## <param name="domain">
172 ## Domain allowed access.
176 interface(`nagios_rw_inerited_tmp_files',`
181 allow $1 nagios_tmp_t:file rw_inherited_file_perms;
185 ########################################
187 ## Execute the nagios NRPE with
188 ## a domain transition.
190 ## <param name="domain">
192 ## Domain allowed to transition.
196 interface(`nagios_domtrans_nrpe',`
198 type nrpe_t, nrpe_exec_t;
201 domtrans_pattern($1, nrpe_exec_t, nrpe_t)
204 ########################################
206 ## All of the rules required to administrate
207 ## an nagios environment
209 ## <param name="domain">
211 ## Domain allowed access.
214 ## <param name="role">
216 ## The role to be allowed to manage the nagios domain.
221 interface(`nagios_admin',`
223 type nagios_t, nrpe_t, nagios_initrc_exec_t;
224 type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
225 type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
228 allow $1 nagios_t:process signal_perms;
229 ps_process_pattern($1, nagios_t)
230 tunable_policy(`deny_ptrace',`',`
231 allow $1 nagios_t:process ptrace;
234 init_labeled_script_domtrans($1, nagios_initrc_exec_t)
235 domain_system_change_exemption($1)
236 role_transition $2 nagios_initrc_exec_t system_r;
240 admin_pattern($1, nagios_tmp_t)
242 logging_list_logs($1)
243 admin_pattern($1, nagios_log_t)
246 admin_pattern($1, nagios_etc_t)
249 admin_pattern($1, nagios_spool_t)
252 admin_pattern($1, nagios_var_run_t)
254 admin_pattern($1, nrpe_etc_t)