[icinga-checkins] icinga.org: icinga-core/rbartels/cgi-current: basic policy for el5

git at icinga.org git at icinga.org
Mon Mar 7 21:58:11 CET 2011


Module: icinga-core
Branch: rbartels/cgi-current
Commit: d8c289f336ae359db981a86fa68920b967333aa5
URL:    https://git.icinga.org/?p=icinga-core.git;a=commit;h=d8c289f336ae359db981a86fa68920b967333aa5

Author: Christoph Maser <cmr at financial.com>
Date:   Thu Feb 17 16:04:54 2011 +0100

basic policy for el5

---

 selinux/el5/icinga.fc |   15 +++++
 selinux/el5/icinga.if |  104 ++++++++++++++++++++++++++++++
 selinux/el5/icinga.te |  166 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 285 insertions(+), 0 deletions(-)

diff --git a/selinux/el5/icinga.fc b/selinux/el5/icinga.fc
new file mode 100644
index 0000000..f6af4eb
--- /dev/null
+++ b/selinux/el5/icinga.fc
@@ -0,0 +1,15 @@
+/etc/icinga(/.*)?			gen_context(system_u:object_r:icinga_etc_t,s0)
+/etc/icinga/nrpe\.cfg		--	gen_context(system_u:object_r:nrpe_etc_t,s0)
+
+/usr/bin/icinga			--	gen_context(system_u:object_r:icinga_exec_t,s0)
+/usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_icinga_script_exec_t,s0)
+/usr/lib(64)?/icinga/cgi(/.*)?		gen_context(system_u:object_r:httpd_icinga_script_exec_t,s0)
+/usr/lib(64)?/icinga/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_icinga_script_exec_t,s0)
+
+/var/log/icinga(/.*)?			gen_context(system_u:object_r:icinga_log_t,s0)
+/var/log/netsaint(/.*)?			gen_context(system_u:object_r:icinga_log_t,s0)
+
+/var/spool/icinga(/.*)?			gen_context(system_u:object_r:icinga_spool_t,s0)
+
diff --git a/selinux/el5/icinga.if b/selinux/el5/icinga.if
new file mode 100644
index 0000000..737a761
--- /dev/null
+++ b/selinux/el5/icinga.if
@@ -0,0 +1,104 @@
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	icinga configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`icinga_read_config',`
+	gen_require(`
+		type icinga_etc_t;
+	')
+
+	allow $1 icinga_etc_t:dir list_dir_perms;
+	allow $1 icinga_etc_t:file r_file_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	icinga temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icinga_read_tmp_files',`
+	gen_require(`
+		type icinga_tmp_t;
+	')
+
+	allow $1 icinga_tmp_t:file r_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Execute the icinga NRPE with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icinga_domtrans_nrpe',`
+	gen_require(`
+		type nrpe_t, nrpe_exec_t;
+	')
+
+	domain_auto_trans($1,nrpe_exec_t,nrpe_t)
+	allow nrpe_t $1:fd use;
+	allow nrpe_t $1:fifo_file rw_file_perms;
+	allow nrpe_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	NAGIOS unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`icinga_dontaudit_rw_pipes',`
+
+	gen_require(`
+		type icinga_t;
+	')
+
+	dontaudit $1 icinga_t:fifo_file rw_fifo_file_perms; 
+')
+
+########################################
+## <summary>
+##	Search icinga spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`icinga_search_spool',`
+	gen_require(`
+		type icinga_spool_t;
+	')
+
+	allow $1 icinga_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
diff --git a/selinux/el5/icinga.te b/selinux/el5/icinga.te
new file mode 100644
index 0000000..78eafcd
--- /dev/null
+++ b/selinux/el5/icinga.te
@@ -0,0 +1,166 @@
+
+policy_module(icinga,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type icinga_t;
+type icinga_exec_t;
+init_daemon_domain(icinga_t,icinga_exec_t)
+
+type icinga_etc_t;
+files_config_file(icinga_etc_t)
+
+type icinga_log_t;
+logging_log_file(icinga_log_t)
+
+type icinga_tmp_t;
+files_tmp_file(icinga_tmp_t)
+
+type icinga_var_run_t;
+files_pid_file(icinga_var_run_t)
+
+type icinga_spool_t;
+files_type(icinga_spool_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow icinga_t self:capability { dac_override setgid setuid };
+dontaudit icinga_t self:capability sys_tty_config;
+allow icinga_t self:process { setpgid signal_perms };
+allow icinga_t self:fifo_file rw_file_perms;
+allow icinga_t self:tcp_socket create_stream_socket_perms;
+allow icinga_t self:udp_socket create_socket_perms;
+
+allow icinga_t icinga_etc_t:file r_file_perms;
+allow icinga_t icinga_etc_t:dir r_dir_perms;
+allow icinga_t icinga_etc_t:lnk_file { getattr read };
+
+allow icinga_t icinga_log_t:file manage_file_perms;
+allow icinga_t icinga_log_t:fifo_file manage_file_perms;
+allow icinga_t icinga_log_t:dir rw_dir_perms;
+logging_log_filetrans(icinga_t,icinga_log_t,{ file dir })
+
+allow icinga_t icinga_tmp_t:dir create_dir_perms;
+allow icinga_t icinga_tmp_t:file create_file_perms;
+files_tmp_filetrans(icinga_t, icinga_tmp_t, { file dir })
+
+allow icinga_t icinga_var_run_t:file create_file_perms;
+allow icinga_t icinga_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(icinga_t,icinga_var_run_t,file)
+
+allow icinga_t icinga_spool_t:dir search_dir_perms;
+allow icinga_t icinga_spool_t:fifo_file rw_file_perms;
+
+kernel_read_system_state(icinga_t)
+kernel_read_kernel_sysctls(icinga_t)
+
+corecmd_exec_bin(icinga_t)
+corecmd_exec_shell(icinga_t)
+
+corenet_non_ipsec_sendrecv(icinga_t)
+corenet_tcp_sendrecv_generic_if(icinga_t)
+corenet_udp_sendrecv_generic_if(icinga_t)
+corenet_tcp_sendrecv_all_nodes(icinga_t)
+corenet_udp_sendrecv_all_nodes(icinga_t)
+corenet_tcp_sendrecv_all_ports(icinga_t)
+corenet_udp_sendrecv_all_ports(icinga_t)
+corenet_tcp_connect_all_ports(icinga_t)
+
+dev_read_sysfs(icinga_t)
+dev_read_urand(icinga_t)
+
+domain_use_interactive_fds(icinga_t)
+# for ps
+domain_read_all_domains_state(icinga_t)
+
+files_read_etc_files(icinga_t)
+files_read_etc_runtime_files(icinga_t)
+files_read_kernel_symbol_table(icinga_t)
+
+fs_getattr_all_fs(icinga_t)
+fs_search_auto_mountpoints(icinga_t)
+
+term_dontaudit_use_console(icinga_t)
+
+init_use_fds(icinga_t)
+init_use_script_ptys(icinga_t)
+# for who
+init_read_utmp(icinga_t)
+
+auth_use_nsswitch(icinga_t)
+
+libs_use_ld_so(icinga_t)
+libs_use_shared_libs(icinga_t)
+
+logging_send_syslog_msg(icinga_t)
+
+miscfiles_read_localization(icinga_t)
+
+userdom_dontaudit_use_unpriv_user_fds(icinga_t)
+userdom_dontaudit_search_sysadm_home_dirs(icinga_t)
+
+mta_send_mail(icinga_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(icinga_t)
+	term_dontaudit_use_generic_ptys(icinga_t)
+	files_dontaudit_read_root_files(icinga_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(icinga_t)
+	netutils_signal_ping(icinga_t)
+	netutils_kill_ping(icinga_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(icinga_t)
+')
+
+optional_policy(`
+	udev_read_db(icinga_t)
+')
+
+# cjp: leaked file descriptors:
+# for open file handles
+#dontaudit system_mail_t icinga_etc_t:file read;
+#dontaudit system_mail_t icinga_log_t:fifo_file read;
+
+########################################
+#
+# Nagios CGI local policy
+#
+apache_content_template(icinga)
+typealias httpd_icinga_script_t alias icinga_cgi_t;
+typealias httpd_icinga_script_exec_t alias icinga_cgi_exec_t;
+
+allow httpd_icinga_script_t self:process signal_perms;
+
+read_files_pattern(httpd_icinga_script_t,icinga_t,icinga_t)
+read_lnk_files_pattern(httpd_icinga_script_t,icinga_t,icinga_t)
+
+files_search_spool(httpd_icinga_script_t)
+rw_fifo_files_pattern(httpd_icinga_script_t, icinga_spool_t, icinga_spool_t)
+
+allow httpd_icinga_script_t icinga_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_icinga_script_t,icinga_etc_t,icinga_etc_t)
+read_lnk_files_pattern(httpd_icinga_script_t,icinga_etc_t,icinga_etc_t)
+
+allow httpd_icinga_script_t icinga_log_t:dir list_dir_perms;
+read_files_pattern(httpd_icinga_script_t,icinga_etc_t,icinga_log_t)
+read_lnk_files_pattern(httpd_icinga_script_t,icinga_etc_t,icinga_log_t)
+
+kernel_read_system_state(httpd_icinga_script_t)
+
+domain_dontaudit_read_all_domains_state(httpd_icinga_script_t)
+
+files_read_etc_runtime_files(httpd_icinga_script_t)
+files_read_kernel_symbol_table(httpd_icinga_script_t)
+
+logging_send_syslog_msg(httpd_icinga_script_t)





More information about the icinga-checkins mailing list