policy_module(icinga2, 0.1.5) ######################################## # # Declarations # ## ##

## Allow Icinga 2 to connect to all ports ##

##
gen_tunable(icinga2_can_connect_all, false) gen_tunable(httpd_can_connect_icinga2_api, true) gen_tunable(httpd_can_write_icinga2_command, true) require { type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t; type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t; type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t; type nagios_services_plugin_t; type nagios_services_plugin_exec_t; type nagios_system_plugin_t; type nagios_system_plugin_exec_t; type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t; type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; type httpd_t; type system_mail_t; role staff_r; } type icinga2_t; type icinga2_exec_t; init_daemon_domain(icinga2_t, icinga2_exec_t) #permissive icinga2_t; type icinga2_initrc_exec_t; init_script_file(icinga2_initrc_exec_t) type icinga2_unit_file_t; systemd_unit_file(icinga2_unit_file_t) type icinga2_etc_t; files_config_file(icinga2_etc_t) type icinga2_log_t; logging_log_file(icinga2_log_t) type icinga2_var_lib_t; files_type(icinga2_var_lib_t) type icinga2_var_run_t; files_pid_file(icinga2_var_run_t) type icinga2_command_t; files_type(icinga2_command_t) type icinga2_spool_t; files_type(icinga2_spool_t) type icinga2_cache_t; files_type(icinga2_cache_t) type icinga2_tmp_t; files_tmp_file(icinga2_tmp_t) type icinga2_port_t; corenet_port(icinga2_port_t) ######################################## # # icinga2 local policy # allow icinga2_t self:capability { setgid setuid sys_resource }; allow icinga2_t self:process { setsched signal setrlimit }; allow icinga2_t self:fifo_file rw_fifo_file_perms; allow icinga2_t self:unix_dgram_socket create_socket_perms; allow icinga2_t self:unix_stream_socket create_stream_socket_perms; list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file }) manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file }) manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file }) manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file }) domain_use_interactive_fds(icinga2_t) files_read_etc_files(icinga2_t) auth_use_nsswitch(icinga2_t) miscfiles_read_localization(icinga2_t) corecmd_exec_shell(icinga2_t) corecmd_exec_bin(icinga2_t) kernel_read_system_state(icinga2_t) kernel_read_network_state(icinga2_t) # should be moved to nagios_plugin_template in nagios.if icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) # should be moved nagios.te nagios_plugin_template(notification) icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) allow nagios_notification_plugin_t icinga2_etc_t:dir search; allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search; #permissive nagios_notification_plugin_t; corecmd_exec_bin(nagios_notification_plugin_t) hostname_exec(nagios_notification_plugin_t) type nagios_notification_plugin_tmp_t; files_tmp_file(nagios_notification_plugin_tmp_t) manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file }) auth_dontaudit_read_passwd(nagios_notification_plugin_t) fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t) optional_policy(` mta_send_mail(nagios_notification_plugin_t) ') icinga2_dontaudit_leaks_fifo(system_mail_t) allow icinga2_t icinga2_port_t:tcp_socket name_bind; allow icinga2_t self:tcp_socket create_stream_socket_perms; corenet_tcp_connect_icinga2_port(icinga2_t) mysql_stream_connect(icinga2_t) mysql_tcp_connect(icinga2_t) postgresql_stream_connect(icinga2_t) postgresql_tcp_connect(icinga2_t) # graphite is using port 2003 which is lmtp_port_t corenet_tcp_connect_lmtp_port(icinga2_t) # This is for other feature that do not use a confined port # or if you run one one with a non standard port. tunable_policy(`icinga2_can_connect_all',` corenet_tcp_connect_all_ports(icinga2_t) ') ######################################## # # Icinga Webinterfaces # optional_policy(` # should be a boolean in apache-policy tunable_policy(`httpd_can_write_icinga2_command',` icinga2_send_commands(httpd_t) ') ') optional_policy(` # should be a boolean in apache-policy tunable_policy(`httpd_can_connect_icinga2_api',` corenet_tcp_connect_icinga2_port(httpd_t) ') ') ######################################## # # Icinga2 Admin Role # userdom_unpriv_user_template(icinga2adm) icinga2_admin(icinga2adm_t, icinga2adm_r) allow icinga2adm_t self:capability { dac_read_search dac_override }; # should be moved to staff.te icinga2adm_role_change(staff_r) # should be moved to nagios_plugin_template in nagios.if icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)