policy_module(icinga2, 0.2.2) ######################################## # # Declarations # ## ##

## Allow Icinga 2 to connect to all ports ##

##
gen_tunable(icinga2_can_connect_all, false) ## ##

## Allow Apache to connect to Icinga 2 API ##

##
gen_tunable(httpd_can_connect_icinga2_api, true) ## ##

## Allow Apache to write into Icinga 2 Commandpipe ##

##
gen_tunable(httpd_can_write_icinga2_command, true) ## ##

## Allow Icinga 2 to run plugins via sudo ##

##
gen_tunable(icinga2_run_sudo, false) require { type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t; type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t; type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t; type nagios_services_plugin_t; type nagios_services_plugin_exec_t; type nagios_system_plugin_t; type nagios_system_plugin_exec_t; type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t; type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t; type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t; type httpd_t; type system_mail_t; type redis_t; type redis_var_run_t; type redis_port_t; type devlog_t; role staff_r; attribute unreserved_port_type; } type icinga2_t; type icinga2_exec_t; init_daemon_domain(icinga2_t, icinga2_exec_t) #permissive icinga2_t; type icinga2_initrc_exec_t; init_script_file(icinga2_initrc_exec_t) type icinga2_unit_file_t; systemd_unit_file(icinga2_unit_file_t) type icinga2_etc_t; files_config_file(icinga2_etc_t) type icinga2_log_t; logging_log_file(icinga2_log_t) type icinga2_var_lib_t; files_type(icinga2_var_lib_t) type icinga2_var_run_t; files_pid_file(icinga2_var_run_t) type icinga2_command_t; files_type(icinga2_command_t) type icinga2_spool_t; files_type(icinga2_spool_t) type icinga2_cache_t; files_type(icinga2_cache_t) type icinga2_tmp_t; files_tmp_file(icinga2_tmp_t) type icinga2_port_t; # There is no interface for unreserved_port_type typeattribute icinga2_port_t unreserved_port_type; corenet_port(icinga2_port_t) ######################################## # # icinga2 local policy # allow icinga2_t self:capability { setgid setuid sys_resource kill }; allow icinga2_t self:process { setsched signal setrlimit }; allow icinga2_t self:fifo_file rw_fifo_file_perms; allow icinga2_t self:unix_dgram_socket create_socket_perms; allow icinga2_t self:unix_stream_socket create_stream_socket_perms; allow icinga2_t icinga2_exec_t:file execute_no_trans; list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t) manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t) logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file }) logging_send_syslog_msg(icinga2_t) manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t) files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t) files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file }) manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t) manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t) files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file }) manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t) manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t) files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file }) domain_use_interactive_fds(icinga2_t) files_read_etc_files(icinga2_t) auth_use_nsswitch(icinga2_t) miscfiles_read_localization(icinga2_t) corecmd_exec_shell(icinga2_t) corecmd_exec_bin(icinga2_t) kernel_read_system_state(icinga2_t) kernel_read_network_state(icinga2_t) kernel_dgram_send(icinga2_t) # should be moved to nagios_plugin_template in nagios.if icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) # should be moved nagios.te nagios_plugin_template(notification) icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t) allow nagios_notification_plugin_t icinga2_etc_t:dir search; allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search; #permissive nagios_notification_plugin_t; corecmd_exec_bin(nagios_notification_plugin_t) hostname_exec(nagios_notification_plugin_t) type nagios_notification_plugin_tmp_t; files_tmp_file(nagios_notification_plugin_tmp_t) manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t) files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file }) fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t) optional_policy(` mta_send_mail(nagios_notification_plugin_t) ') icinga2_dontaudit_leaks_fifo(system_mail_t) # direct smtp notification corenet_tcp_connect_smtp_port(nagios_notification_plugin_t) # hipsaint notification auth_read_passwd(nagios_notification_plugin_t) sysnet_read_config(nagios_notification_plugin_t) allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms; allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_notification_plugin_t self:netlink_route_socket create_netlink_socket_perms; corenet_tcp_connect_http_port(nagios_notification_plugin_t) miscfiles_read_generic_certs(nagios_notification_plugin_t) allow icinga2_t icinga2_port_t:tcp_socket name_bind; allow icinga2_t self:tcp_socket create_stream_socket_perms; corenet_tcp_connect_icinga2_port(icinga2_t) mysql_stream_connect(icinga2_t) mysql_tcp_connect(icinga2_t) postgresql_stream_connect(icinga2_t) postgresql_tcp_connect(icinga2_t) # graphite is using port 2003 which is lmtp_port_t corenet_tcp_connect_lmtp_port(icinga2_t) # Allow icinga2 to connect to redis using unix domain sockets stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t) # Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on Amazon Linux 2 corenet_tcp_recvfrom_labeled(icinga2_t, redis_t) corenet_tcp_sendrecv_redis_port(icinga2_t) corenet_tcp_connect_redis_port(icinga2_t) # This is for other feature that do not use a confined port # or if you run one one with a non standard port. tunable_policy(`icinga2_can_connect_all',` corenet_tcp_connect_all_ports(icinga2_t) ') # This is for plugins requiring to be executed via sudo tunable_policy(`icinga2_run_sudo',` allow icinga2_t self:capability { audit_write net_admin }; allow icinga2_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow icinga2_t devlog_t:sock_file write; init_read_utmp(icinga2_t) auth_domtrans_chkpwd(icinga2_t) allow icinga2_t chkpwd_t:process { noatsecure rlimitinh siginh }; selinux_compute_access_vector(icinga2_t) dbus_send_system_bus(icinga2_t) dbus_stream_connect_system_dbusd(icinga2_t) systemd_dbus_chat_logind(icinga2_t) # Without this it works but is very slow systemd_write_inherited_logind_sessions_pipes(icinga2_t) ') optional_policy(` tunable_policy(`icinga2_run_sudo',` sudo_exec(icinga2_t) ') ') ######################################## # # Icinga Webinterfaces # optional_policy(` # should be a boolean in apache-policy tunable_policy(`httpd_can_write_icinga2_command',` icinga2_send_commands(httpd_t) ') ') optional_policy(` # should be a boolean in apache-policy tunable_policy(`httpd_can_connect_icinga2_api',` corenet_tcp_connect_icinga2_port(httpd_t) ') ') ######################################## # # Icinga2 Admin Role # role icinga2adm_r; userdom_unpriv_user_template(icinga2adm) icinga2_admin(icinga2adm_t, icinga2adm_r) allow icinga2adm_t self:capability { dac_read_search dac_override }; # should be moved to staff.te icinga2adm_role_change(staff_r) # should be moved to nagios_plugin_template in nagios.if icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t) icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t) icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t) icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t) icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t) icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t) icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)