Selinux: added role and some required changes

refs #8332
This commit is contained in:
Dirk Goetz 2015-03-25 21:00:53 +00:00 committed by Michael Friedrich
parent 8bd2b99c82
commit 7d29a26d99
4 changed files with 81 additions and 0 deletions

View File

@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0) /etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
/usr/lib/systemd/system/icinga2.* -- gen_context(system_u:object_r:icinga2_unit_file_t,s0)
/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0) /etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
/etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0) /etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)

View File

@ -38,6 +38,30 @@ interface(`icinga2_initrc_domtrans',`
init_labeled_script_domtrans($1, icinga2_initrc_exec_t) init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
') ')
########################################
## <summary>
## Execute icinga2 daemon in the icinga2 domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`icinga2_systemctl',`
gen_require(`
type icinga2_t;
type icinga2_unit_file_t;
')
systemd_exec_systemctl($1)
allow $1 icinga2_unit_file_t:file read_file_perms;
allow $1 icinga2_unit_file_t:service manage_service_perms;
ps_process_pattern($1, icinga2_t)
init_dbus_chat($1)
')
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to read ## Allow the specified domain to read
@ -256,11 +280,24 @@ interface(`icinga2_admin',`
role_transition $2 icinga2_initrc_exec_t system_r; role_transition $2 icinga2_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;
files_list_etc($1)
admin_pattern($1, icinga2_etc_t)
logging_search_logs($1) logging_search_logs($1)
admin_pattern($1, icinga2_log_t) admin_pattern($1, icinga2_log_t)
files_search_var_lib($1) files_search_var_lib($1)
admin_pattern($1, icinga2_var_lib_t) admin_pattern($1, icinga2_var_lib_t)
admin_pattern($1, icinga2_var_run_t)
admin_pattern($1, icinga2_command_t)
admin_pattern($1, icinga2_spool_t)
admin_pattern($1, icinga2_cache_t)
icinga2_systemctl($1)
admin_pattern($1, icinga2_unit_file_t)
allow $1 icinga2_unit_file_t:service all_service_perms;
optional_policy(` optional_policy(`
systemd_passwd_agent_exec($1) systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1) systemd_read_fifo_file_passwd_run($1)
@ -329,3 +366,23 @@ interface(`icinga2_dontaudit_leaks_fifo',`
dontaudit $1 icinga2_t:fifo_file write; dontaudit $1 icinga2_t:fifo_file write;
') ')
## <summary>Icinga2 administrator role.</summary>
########################################
## <summary>
## Change to the Icinga2 administrator role.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`icinga2adm_role_change',`
gen_require(`
role icinga2adm_r;
')
allow $1 icinga2adm_r;
')

View File

@ -48,6 +48,8 @@ sepolicy manpage -p . -d icinga2_t
/sbin/restorecon -F -R -v /usr/sbin/icinga2 /sbin/restorecon -F -R -v /usr/sbin/icinga2
# Fixing the file context on /etc/rc\.d/init\.d/icinga2 # Fixing the file context on /etc/rc\.d/init\.d/icinga2
#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
# Fixing the file context on /usr/lib/systemd/system/icinga2.*
/sbin/restorecon -F -R -v /usr/lib/systemd/system/icinga2.*
# Fixing the file context on /etc/icinga2 # Fixing the file context on /etc/icinga2
/sbin/restorecon -F -R -v /etc/icinga2 /sbin/restorecon -F -R -v /etc/icinga2
# Fixing the file context on /var/log/icinga2 # Fixing the file context on /var/log/icinga2

View File

@ -15,6 +15,7 @@ require {
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t; type httpd_t; type system_mail_t;
role staff_r;
} }
type icinga2_t; type icinga2_t;
@ -26,6 +27,9 @@ permissive icinga2_t;
type icinga2_initrc_exec_t; type icinga2_initrc_exec_t;
init_script_file(icinga2_initrc_exec_t) init_script_file(icinga2_initrc_exec_t)
type icinga2_unit_file_t;
systemd_unit_file(icinga2_unit_file_t)
type icinga2_etc_t; type icinga2_etc_t;
files_config_file(icinga2_etc_t) files_config_file(icinga2_etc_t)
@ -62,6 +66,7 @@ allow icinga2_t self:process { setsched signal setrlimit };
allow icinga2_t self:fifo_file rw_fifo_file_perms; allow icinga2_t self:fifo_file rw_fifo_file_perms;
allow icinga2_t self:unix_stream_socket create_stream_socket_perms; allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
@ -152,3 +157,18 @@ optional_policy(`
# should be a boolean in apache-policy # should be a boolean in apache-policy
icinga2_send_commands(httpd_t) icinga2_send_commands(httpd_t)
') ')
########################################
#
# Icinga2 Admin Role
#
userdom_unpriv_user_template(icinga2adm)
icinga2_admin(icinga2adm_t, icinga2adm_r)
allow icinga2adm_t self:capability { dac_read_search dac_override };
# should be moved to staff.te
icinga2adm_role_change(staff_r)