From 167f43a2314d8eb7d5044e5d3ba2efcfec8fa56f Mon Sep 17 00:00:00 2001 From: Dirk Goetz Date: Tue, 17 Mar 2015 21:23:02 +0000 Subject: [PATCH] added chcon to systemd safe-reload script Selinux: Added support for notifications refs #8332 --- etc/initsystem/safe-reload | 4 ++++ tools/selinux/icinga2.fc | 2 ++ tools/selinux/icinga2.if | 19 +++++++++++++++++++ tools/selinux/icinga2.sh | 7 ++++++- tools/selinux/icinga2.te | 29 ++++++++++++++++++++++++++++- 5 files changed, 59 insertions(+), 2 deletions(-) diff --git a/etc/initsystem/safe-reload b/etc/initsystem/safe-reload index 6927aec30..f49f29f6b 100644 --- a/etc/initsystem/safe-reload +++ b/etc/initsystem/safe-reload @@ -11,6 +11,10 @@ fi printf "Validating config files: " OUTPUTFILE=`mktemp` +if [ $(which chcon) ]; then + chcon -t icinga2_tmp_t $OUTPUTFILE +fi + if ! $DAEMON daemon --validate --color > $OUTPUTFILE; then echo "Failed" diff --git a/tools/selinux/icinga2.fc b/tools/selinux/icinga2.fc index b107d57a4..33e4c7299 100644 --- a/tools/selinux/icinga2.fc +++ b/tools/selinux/icinga2.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0) +/etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0) + /usr/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0) /var/lib/icinga2(/.*)? gen_context(system_u:object_r:icinga2_var_lib_t,s0) diff --git a/tools/selinux/icinga2.if b/tools/selinux/icinga2.if index 774e56227..301464399 100644 --- a/tools/selinux/icinga2.if +++ b/tools/selinux/icinga2.if @@ -265,3 +265,22 @@ interface(`icinga2_execstrans',` domtrans_pattern(icinga2_t, $1, $2) ') + +###################################### +## +## Dontaudit read and write an leaked file descriptors +## +## +## +## Domain to not audit. +## +## +# +interface(`icinga2_dontaudit_leaks_fifo',` + gen_require(` + type icinga2_t; + ') + + dontaudit $1 icinga2_t:fifo_file write; +') + diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh index 48cd49b90..81ccc55cf 100755 --- a/tools/selinux/icinga2.sh +++ b/tools/selinux/icinga2.sh @@ -48,6 +48,8 @@ sepolicy manpage -p . -d icinga2_t /sbin/restorecon -F -R -v /usr/sbin/icinga2 # Fixing the file context on /etc/rc\.d/init\.d/icinga2 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 +# Fixing the file context on /etc/icinga2/scripts +/sbin/restorecon -F -R -v /etc/icinga2/scripts # Fixing the file context on /var/log/icinga2 /sbin/restorecon -F -R -v /var/log/icinga2 # Fixing the file context on /var/lib/icinga2 @@ -59,10 +61,13 @@ sepolicy manpage -p . -d icinga2_t # Fixing the file context on /var/spool/icinga2 /sbin/restorecon -F -R -v /var/spool/icinga2 +# Fix dir permissions until we have it in the package +chown root /etc/icinga2 +chown root /etc/icinga2/init.conf + # Label the port 5665 /sbin/semanage port -a -t icinga2_port_t -p tcp 5665 # Generate a rpm package for the newly generated policy - pwd=$(pwd) #rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba icinga2_selinux.spec diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te index 1c0fb6d78..c94b23808 100644 --- a/tools/selinux/icinga2.te +++ b/tools/selinux/icinga2.te @@ -11,7 +11,7 @@ require { type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t; type nagios_services_plugin_t; type nagios_services_plugin_exec_t; type nagios_system_plugin_t; type nagios_system_plugin_exec_t; - type httpd_t; + type httpd_t; type system_mail_t; } type icinga2_t; @@ -41,6 +41,9 @@ files_type(icinga2_spool_t) type icinga2_cache_t; files_type(icinga2_cache_t) +type icinga2_tmp_t; +files_tmp_file(icinga2_tmp_t) + type icinga2_port_t; corenet_port(icinga2_port_t) @@ -78,6 +81,10 @@ files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file }) manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) +manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) +manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) +files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file }) + domain_use_interactive_fds(icinga2_t) files_read_etc_files(icinga2_t) @@ -86,6 +93,8 @@ auth_use_nsswitch(icinga2_t) miscfiles_read_localization(icinga2_t) +corecmd_check_exec_shell(icinga2_t) + # should be moved to nagios_plugin_template in nagios.if icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) @@ -93,6 +102,24 @@ icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) +# should be moved nagios.te +nagios_plugin_template(notification) +icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) +allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search; +#permissive nagios_notification_plugin_t; +corecmd_exec_bin(nagios_notification_plugin_t) +type nagios_notification_plugin_tmp_t; +files_tmp_file(nagios_notification_plugin_tmp_t) +manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) +manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) +files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file }) +auth_dontaudit_read_passwd(nagios_notification_plugin_t) +fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t) +optional_policy(` + mta_send_mail(nagios_notification_plugin_t) +') +icinga2_dontaudit_leaks_fifo(system_mail_t) + allow icinga2_t icinga2_port_t:tcp_socket name_bind; allow icinga2_t self:tcp_socket create_stream_socket_perms;