mirror of https://github.com/Icinga/icinga2.git
parent
8bd2b99c82
commit
7d29a26d99
|
@ -1,5 +1,7 @@
|
||||||
/etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/icinga2 -- gen_context(system_u:object_r:icinga2_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/lib/systemd/system/icinga2.* -- gen_context(system_u:object_r:icinga2_unit_file_t,s0)
|
||||||
|
|
||||||
/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
|
/etc/icinga2(/.*)? gen_context(system_u:object_r:icinga2_etc_t,s0)
|
||||||
|
|
||||||
/etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
|
/etc/icinga2/scripts(/.*)? gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
|
||||||
|
|
|
@ -38,6 +38,30 @@ interface(`icinga2_initrc_domtrans',`
|
||||||
init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
|
init_labeled_script_domtrans($1, icinga2_initrc_exec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute icinga2 daemon in the icinga2 domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`icinga2_systemctl',`
|
||||||
|
gen_require(`
|
||||||
|
type icinga2_t;
|
||||||
|
type icinga2_unit_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
systemd_exec_systemctl($1)
|
||||||
|
allow $1 icinga2_unit_file_t:file read_file_perms;
|
||||||
|
allow $1 icinga2_unit_file_t:service manage_service_perms;
|
||||||
|
|
||||||
|
ps_process_pattern($1, icinga2_t)
|
||||||
|
init_dbus_chat($1)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to read
|
## Allow the specified domain to read
|
||||||
|
@ -256,11 +280,24 @@ interface(`icinga2_admin',`
|
||||||
role_transition $2 icinga2_initrc_exec_t system_r;
|
role_transition $2 icinga2_initrc_exec_t system_r;
|
||||||
allow $2 system_r;
|
allow $2 system_r;
|
||||||
|
|
||||||
|
files_list_etc($1)
|
||||||
|
admin_pattern($1, icinga2_etc_t)
|
||||||
|
|
||||||
logging_search_logs($1)
|
logging_search_logs($1)
|
||||||
admin_pattern($1, icinga2_log_t)
|
admin_pattern($1, icinga2_log_t)
|
||||||
|
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
admin_pattern($1, icinga2_var_lib_t)
|
admin_pattern($1, icinga2_var_lib_t)
|
||||||
|
|
||||||
|
admin_pattern($1, icinga2_var_run_t)
|
||||||
|
admin_pattern($1, icinga2_command_t)
|
||||||
|
admin_pattern($1, icinga2_spool_t)
|
||||||
|
admin_pattern($1, icinga2_cache_t)
|
||||||
|
|
||||||
|
icinga2_systemctl($1)
|
||||||
|
admin_pattern($1, icinga2_unit_file_t)
|
||||||
|
allow $1 icinga2_unit_file_t:service all_service_perms;
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
systemd_passwd_agent_exec($1)
|
systemd_passwd_agent_exec($1)
|
||||||
systemd_read_fifo_file_passwd_run($1)
|
systemd_read_fifo_file_passwd_run($1)
|
||||||
|
@ -329,3 +366,23 @@ interface(`icinga2_dontaudit_leaks_fifo',`
|
||||||
dontaudit $1 icinga2_t:fifo_file write;
|
dontaudit $1 icinga2_t:fifo_file write;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## <summary>Icinga2 administrator role.</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Change to the Icinga2 administrator role.
|
||||||
|
## </summary>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`icinga2adm_role_change',`
|
||||||
|
gen_require(`
|
||||||
|
role icinga2adm_r;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 icinga2adm_r;
|
||||||
|
')
|
||||||
|
|
|
@ -48,6 +48,8 @@ sepolicy manpage -p . -d icinga2_t
|
||||||
/sbin/restorecon -F -R -v /usr/sbin/icinga2
|
/sbin/restorecon -F -R -v /usr/sbin/icinga2
|
||||||
# Fixing the file context on /etc/rc\.d/init\.d/icinga2
|
# Fixing the file context on /etc/rc\.d/init\.d/icinga2
|
||||||
#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
|
#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
|
||||||
|
# Fixing the file context on /usr/lib/systemd/system/icinga2.*
|
||||||
|
/sbin/restorecon -F -R -v /usr/lib/systemd/system/icinga2.*
|
||||||
# Fixing the file context on /etc/icinga2
|
# Fixing the file context on /etc/icinga2
|
||||||
/sbin/restorecon -F -R -v /etc/icinga2
|
/sbin/restorecon -F -R -v /etc/icinga2
|
||||||
# Fixing the file context on /var/log/icinga2
|
# Fixing the file context on /var/log/icinga2
|
||||||
|
|
|
@ -15,6 +15,7 @@ require {
|
||||||
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
|
||||||
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
|
||||||
type httpd_t; type system_mail_t;
|
type httpd_t; type system_mail_t;
|
||||||
|
role staff_r;
|
||||||
}
|
}
|
||||||
|
|
||||||
type icinga2_t;
|
type icinga2_t;
|
||||||
|
@ -26,6 +27,9 @@ permissive icinga2_t;
|
||||||
type icinga2_initrc_exec_t;
|
type icinga2_initrc_exec_t;
|
||||||
init_script_file(icinga2_initrc_exec_t)
|
init_script_file(icinga2_initrc_exec_t)
|
||||||
|
|
||||||
|
type icinga2_unit_file_t;
|
||||||
|
systemd_unit_file(icinga2_unit_file_t)
|
||||||
|
|
||||||
type icinga2_etc_t;
|
type icinga2_etc_t;
|
||||||
files_config_file(icinga2_etc_t)
|
files_config_file(icinga2_etc_t)
|
||||||
|
|
||||||
|
@ -62,6 +66,7 @@ allow icinga2_t self:process { setsched signal setrlimit };
|
||||||
allow icinga2_t self:fifo_file rw_fifo_file_perms;
|
allow icinga2_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
|
allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
|
||||||
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
|
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
|
||||||
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
|
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
|
||||||
|
|
||||||
|
@ -152,3 +157,18 @@ optional_policy(`
|
||||||
# should be a boolean in apache-policy
|
# should be a boolean in apache-policy
|
||||||
icinga2_send_commands(httpd_t)
|
icinga2_send_commands(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Icinga2 Admin Role
|
||||||
|
#
|
||||||
|
|
||||||
|
userdom_unpriv_user_template(icinga2adm)
|
||||||
|
|
||||||
|
icinga2_admin(icinga2adm_t, icinga2adm_r)
|
||||||
|
|
||||||
|
allow icinga2adm_t self:capability { dac_read_search dac_override };
|
||||||
|
|
||||||
|
# should be moved to staff.te
|
||||||
|
icinga2adm_role_change(staff_r)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue