tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9444 from Icinga/bugfix/add-missing-redis-and-mysql-selinux-policy 

Add missing Redis & Mysql unix socket SELinux policy
This commit is contained in:
Julian Brost 2022-08-05 10:41:38 +02:00 committed by GitHub
parent fb6331d2c1 19f3e48344
commit 409bda109c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tools/selinux/icinga2.sh
View File

@ -67,6 +67,7 @@ sepolicy manpage -p . -d icinga2_t
# Label the port 5665 # Label the port 5665
/sbin/semanage port -a -t icinga2_port_t -p tcp 5665 /sbin/semanage port -a -t icinga2_port_t -p tcp 5665
/sbin/semanage port -a -t redis_port_t -p tcp 6380
# Generate a rpm package for the newly generated policy # Generate a rpm package for the newly generated policy
pwd=$(pwd) pwd=$(pwd)

9
tools/selinux/icinga2.te
View File

@ -43,6 +43,7 @@ require {
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t; type httpd_t; type system_mail_t;
type redis_t; type redis_var_run_t; type redis_port_t;
type devlog_t; type devlog_t;
role staff_r; role staff_r;
attribute unreserved_port_type; attribute unreserved_port_type;
@ -200,6 +201,14 @@ postgresql_tcp_connect(icinga2_t)
# graphite is using port 2003 which is lmtp_port_t # graphite is using port 2003 which is lmtp_port_t
corenet_tcp_connect_lmtp_port(icinga2_t) corenet_tcp_connect_lmtp_port(icinga2_t)
# Allow icinga2 to connect to redis using unix domain sockets
stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t)
# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on centos7
corenet_tcp_recvfrom_labeled(icinga2_t, redis_t)
corenet_tcp_sendrecv_redis_port(icinga2_t)
corenet_tcp_connect_redis_port(icinga2_t)
# This is for other feature that do not use a confined port # This is for other feature that do not use a confined port
# or if you run one one with a non standard port. # or if you run one one with a non standard port.
tunable_policy(`icinga2_can_connect_all',` tunable_policy(`icinga2_can_connect_all',`