From f53499b09f1533acf340d540ef51a61b569d432b Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Fri, 15 Jul 2022 15:32:47 +0200 Subject: [PATCH] Add missing IcingaDB Redis SELinux policy --- tools/selinux/icinga2.sh | 1 + tools/selinux/icinga2.te | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/tools/selinux/icinga2.sh b/tools/selinux/icinga2.sh index 7b68451f7..9d5dd5911 100755 --- a/tools/selinux/icinga2.sh +++ b/tools/selinux/icinga2.sh @@ -67,6 +67,7 @@ sepolicy manpage -p . -d icinga2_t # Label the port 5665 /sbin/semanage port -a -t icinga2_port_t -p tcp 5665 +/sbin/semanage port -a -t redis_port_t -p tcp 6380 # Generate a rpm package for the newly generated policy pwd=$(pwd) diff --git a/tools/selinux/icinga2.te b/tools/selinux/icinga2.te index 7b32eaec5..15732562f 100644 --- a/tools/selinux/icinga2.te +++ b/tools/selinux/icinga2.te @@ -43,6 +43,7 @@ require { type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; type httpd_t; type system_mail_t; + type redis_t; type redis_var_run_t; type redis_port_t; type devlog_t; role staff_r; attribute unreserved_port_type; @@ -200,6 +201,14 @@ postgresql_tcp_connect(icinga2_t) # graphite is using port 2003 which is lmtp_port_t corenet_tcp_connect_lmtp_port(icinga2_t) +# Allow icinga2 to connect to redis using unix domain sockets +stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t) + +# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on centos7 +corenet_tcp_recvfrom_labeled(icinga2_t, redis_t) +corenet_tcp_sendrecv_redis_port(icinga2_t) +corenet_tcp_connect_redis_port(icinga2_t) + # This is for other feature that do not use a confined port # or if you run one one with a non standard port. tunable_policy(`icinga2_can_connect_all',`