tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing IcingaDB Redis SELinux policy

This commit is contained in:
Yonas Habteab 2022-07-15 15:32:47 +02:00
parent eb74898271
commit 19f3e48344
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tools/selinux/icinga2.sh
View File

@ -67,6 +67,7 @@ sepolicy manpage -p . -d icinga2_t
# Label the port 5665
/sbin/semanage port -a -t icinga2_port_t -p tcp 5665
/sbin/semanage port -a -t redis_port_t -p tcp 6380
# Generate a rpm package for the newly generated policy
pwd=$(pwd)

9
tools/selinux/icinga2.te
View File

@ -43,6 +43,7 @@ require {
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
type redis_t; type redis_var_run_t; type redis_port_t;
type devlog_t;
role staff_r;
attribute unreserved_port_type;
@ -200,6 +201,14 @@ postgresql_tcp_connect(icinga2_t)
# graphite is using port 2003 which is lmtp_port_t
corenet_tcp_connect_lmtp_port(icinga2_t)
# Allow icinga2 to connect to redis using unix domain sockets
stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t)
# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on centos7
corenet_tcp_recvfrom_labeled(icinga2_t, redis_t)
corenet_tcp_sendrecv_redis_port(icinga2_t)
corenet_tcp_connect_redis_port(icinga2_t)
# This is for other feature that do not use a confined port
# or if you run one one with a non standard port.
tunable_policy(`icinga2_can_connect_all',`