[icinga-checkins] icinga.org: icinga-core/rbartels/cgi-current: allow httpd write acces to icinga-api logs

git at icinga.org git at icinga.org
Mon Mar 7 21:58:11 CET 2011


Module: icinga-core
Branch: rbartels/cgi-current
Commit: 35e6b1d390412dc0eccd4c652c0376cc80ec1a69
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=35e6b1d390412dc0eccd4c652c0376cc80ec1a69

Author: Christoph Maser <cmr at financial.com>
Date:   Tue Feb 15 17:23:13 2011 +0100

allow httpd write acces to icinga-api logs
allow any webapp to access local command pipe

---

 selinux/icinga.fc |    5 ++---
 selinux/icinga.if |    5 ++++-
 selinux/icinga.te |   13 +++++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/selinux/icinga.fc b/selinux/icinga.fc
index 4b1f4f0..a2f95d6 100644
--- a/selinux/icinga.fc
+++ b/selinux/icinga.fc
@@ -12,9 +12,8 @@
 
 /var/spool/icinga(/.*)?					gen_context(system_u:object_r:icinga_spool_t,s0)
 
-ifdef(`distro_debian',`
-/usr/sbin/icinga				--	gen_context(system_u:object_r:icinga_exec_t,s0)
-')
+/usr/share/icinga/icinga-api/log(/.*)?			gen_context(system_u:object_r:httpd_user_rw_content_t,s0)
+
 /usr/lib(64)?/cgi-bin/icinga(/.+)?			gen_context(system_u:object_r:httpd_icinga_script_exec_t,s0)
 /usr/lib(64)?/icinga/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_icinga_script_exec_t,s0)
 
diff --git a/selinux/icinga.if b/selinux/icinga.if
index d5db0a3..7e1bc59 100644
--- a/selinux/icinga.if
+++ b/selinux/icinga.if
@@ -13,7 +13,7 @@
 #
 template(`icinga_plugin_template',`
 	gen_require(`
-		type icinga_t, nrpe_t, icinga_log_t, nagios_$1_plugin_t, nagios_$1_plugin_exec_t;
+		type icinga_t, nrpe_t, icinga_log_t, nagios_$1_plugin_t, nagios_$1_plugin_exec_t, ping_t;
 	')
 
 	type icinga_$1_plugin_t;
@@ -39,6 +39,9 @@ template(`icinga_plugin_template',`
 	allow icinga_t nagios_$1_plugin_t:process signal_perms;
 
         allow nagios_$1_plugin_t icinga_tmp_t:file { read write };
+	allow ping_t icinga_t:fifo_file read;
+	allow ping_t icinga_tmp_t:file { read write };
+	allow ping_t icinga_t:unix_stream_socket { read write };
 
 	# cjp: leaked file descriptor
 	dontaudit icinga_$1_plugin_t nrpe_t:tcp_socket { read write };
diff --git a/selinux/icinga.te b/selinux/icinga.te
index 258a15e..60f50aa 100644
--- a/selinux/icinga.te
+++ b/selinux/icinga.te
@@ -119,6 +119,18 @@ mta_send_mail(icinga_t)
 mta_signal_system_mail(icinga_t)
 mta_kill_system_mail(icinga_t)
 
+########################################
+#
+# access for webapps to command-pipe
+#
+gen_require(`
+                type httpd_t;
+        ')
+
+allow httpd_t icinga_log_t:fifo_file write;
+allow httpd_t icinga_log_t:fifo_file { getattr open };
+
+
 optional_policy(`
 	netutils_kill_ping(icinga_t)
 ')
@@ -372,3 +384,4 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(icinga_unconfined_plugin_t)
 ')
+





More information about the icinga-checkins mailing list