SELinux: Let safe-reload run in icinga2_t

Fixes #7832
This commit is contained in:
Dirk Goetz 2020-02-26 17:21:58 +01:00
parent 59354e8bbe
commit cdc7a820f6
4 changed files with 10 additions and 3 deletions

3
.gitignore vendored
View File

@ -19,3 +19,6 @@ cmake-build-debug
/Testing/ /Testing/
/install/ /install/
/vendor/ /vendor/
tools/selinux/icinga2.pp
tools/selinux/icinga2_selinux.8
tools/selinux/tmp

View File

@ -7,7 +7,8 @@
/etc/icinga2/scripts(/.*)? -- gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0) /etc/icinga2/scripts(/.*)? -- gen_context(system_u:object_r:nagios_notification_plugin_exec_t,s0)
/usr/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0) /usr/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0)
/usr/lib64/icinga2/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0) /usr/lib/icinga2/sbin/icinga2 -- gen_context(system_u:object_r:icinga2_exec_t,s0)
/usr/lib/icinga2/safe-reload -- gen_context(system_u:object_r:icinga2_exec_t,s0)
/var/lib/icinga2(/.*)? gen_context(system_u:object_r:icinga2_var_lib_t,s0) /var/lib/icinga2(/.*)? gen_context(system_u:object_r:icinga2_var_lib_t,s0)

View File

@ -47,6 +47,7 @@ sepolicy manpage -p . -d icinga2_t
# Fixing the file context on /usr/sbin/icinga2 # Fixing the file context on /usr/sbin/icinga2
/sbin/restorecon -F -R -v /usr/sbin/icinga2 /sbin/restorecon -F -R -v /usr/sbin/icinga2
/sbin/restorecon -F -R -v /usr/lib64/icinga2/sbin/icinga2 /sbin/restorecon -F -R -v /usr/lib64/icinga2/sbin/icinga2
/sbin/restorecon -F -R -v /usr/lib/icinga2/safe-reload
# Fixing the file context on /etc/rc\.d/init\.d/icinga2 # Fixing the file context on /etc/rc\.d/init\.d/icinga2
#/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2 #/sbin/restorecon -F -R -v /etc/rc\.d/init\.d/icinga2
# Fixing the file context on /usr/lib/systemd/system/icinga2.* # Fixing the file context on /usr/lib/systemd/system/icinga2.*

View File

@ -1,4 +1,4 @@
policy_module(icinga2, 0.2.1) policy_module(icinga2, 0.2.2)
######################################## ########################################
# #
@ -93,12 +93,14 @@ corenet_port(icinga2_port_t)
# #
# icinga2 local policy # icinga2 local policy
# #
allow icinga2_t self:capability { setgid setuid sys_resource }; allow icinga2_t self:capability { setgid setuid sys_resource kill };
allow icinga2_t self:process { setsched signal setrlimit }; allow icinga2_t self:process { setsched signal setrlimit };
allow icinga2_t self:fifo_file rw_fifo_file_perms; allow icinga2_t self:fifo_file rw_fifo_file_perms;
allow icinga2_t self:unix_dgram_socket create_socket_perms; allow icinga2_t self:unix_dgram_socket create_socket_perms;
allow icinga2_t self:unix_stream_socket create_stream_socket_perms; allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
allow icinga2_t icinga2_exec_t:file execute_no_trans;
list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)