policy_module(icinga2, 0.2.2)
########################################
#
# Declarations
#
##
##
## Allow Icinga 2 to connect to all ports
##
##
gen_tunable(icinga2_can_connect_all, false)
##
##
## Allow Apache to connect to Icinga 2 API
##
##
gen_tunable(httpd_can_connect_icinga2_api, true)
##
##
## Allow Apache to write into Icinga 2 Commandpipe
##
##
gen_tunable(httpd_can_write_icinga2_command, true)
##
##
## Allow Icinga 2 to run plugins via sudo
##
##
gen_tunable(icinga2_run_sudo, false)
require {
type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t;
type nagios_services_plugin_t; type nagios_services_plugin_exec_t;
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
type redis_t; type redis_var_run_t; type redis_port_t;
type devlog_t;
role staff_r;
attribute unreserved_port_type;
}
type icinga2_t;
type icinga2_exec_t;
init_daemon_domain(icinga2_t, icinga2_exec_t)
#permissive icinga2_t;
type icinga2_initrc_exec_t;
init_script_file(icinga2_initrc_exec_t)
type icinga2_unit_file_t;
systemd_unit_file(icinga2_unit_file_t)
type icinga2_etc_t;
files_config_file(icinga2_etc_t)
type icinga2_log_t;
logging_log_file(icinga2_log_t)
type icinga2_var_lib_t;
files_type(icinga2_var_lib_t)
type icinga2_var_run_t;
files_pid_file(icinga2_var_run_t)
type icinga2_command_t;
files_type(icinga2_command_t)
type icinga2_spool_t;
files_type(icinga2_spool_t)
type icinga2_cache_t;
files_type(icinga2_cache_t)
type icinga2_tmp_t;
files_tmp_file(icinga2_tmp_t)
type icinga2_port_t;
# There is no interface for unreserved_port_type
typeattribute icinga2_port_t unreserved_port_type;
corenet_port(icinga2_port_t)
########################################
#
# icinga2 local policy
#
allow icinga2_t self:capability { setgid setuid sys_resource kill };
allow icinga2_t self:process { setsched signal setrlimit };
allow icinga2_t self:fifo_file rw_fifo_file_perms;
allow icinga2_t self:unix_dgram_socket create_socket_perms;
allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
allow icinga2_t icinga2_exec_t:file execute_no_trans;
list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file })
logging_send_syslog_msg(icinga2_t)
manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file })
manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file })
manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file })
domain_use_interactive_fds(icinga2_t)
files_read_etc_files(icinga2_t)
auth_use_nsswitch(icinga2_t)
miscfiles_read_localization(icinga2_t)
corecmd_exec_shell(icinga2_t)
corecmd_exec_bin(icinga2_t)
kernel_read_system_state(icinga2_t)
kernel_read_network_state(icinga2_t)
kernel_dgram_send(icinga2_t)
# should be moved to nagios_plugin_template in nagios.if
icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
# should be moved nagios.te
nagios_plugin_template(notification)
icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
allow nagios_notification_plugin_t icinga2_etc_t:dir search;
allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
#permissive nagios_notification_plugin_t;
corecmd_exec_bin(nagios_notification_plugin_t)
hostname_exec(nagios_notification_plugin_t)
type nagios_notification_plugin_tmp_t;
files_tmp_file(nagios_notification_plugin_tmp_t)
manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file })
fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t)
optional_policy(`
mta_send_mail(nagios_notification_plugin_t)
')
icinga2_dontaudit_leaks_fifo(system_mail_t)
# direct smtp notification
corenet_tcp_connect_smtp_port(nagios_notification_plugin_t)
# hipsaint notification
auth_read_passwd(nagios_notification_plugin_t)
sysnet_read_config(nagios_notification_plugin_t)
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:netlink_route_socket create_netlink_socket_perms;
corenet_tcp_connect_http_port(nagios_notification_plugin_t)
miscfiles_read_generic_certs(nagios_notification_plugin_t)
allow icinga2_t icinga2_port_t:tcp_socket name_bind;
allow icinga2_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_connect_icinga2_port(icinga2_t)
mysql_stream_connect(icinga2_t)
mysql_tcp_connect(icinga2_t)
postgresql_stream_connect(icinga2_t)
postgresql_tcp_connect(icinga2_t)
# graphite is using port 2003 which is lmtp_port_t
corenet_tcp_connect_lmtp_port(icinga2_t)
# Allow icinga2 to connect to redis using unix domain sockets
stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t)
# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on Amazon Linux 2
corenet_tcp_recvfrom_labeled(icinga2_t, redis_t)
corenet_tcp_sendrecv_redis_port(icinga2_t)
corenet_tcp_connect_redis_port(icinga2_t)
# This is for other feature that do not use a confined port
# or if you run one one with a non standard port.
tunable_policy(`icinga2_can_connect_all',`
corenet_tcp_connect_all_ports(icinga2_t)
')
# This is for plugins requiring to be executed via sudo
tunable_policy(`icinga2_run_sudo',`
allow icinga2_t self:capability { audit_write net_admin };
allow icinga2_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow icinga2_t devlog_t:sock_file write;
init_read_utmp(icinga2_t)
auth_domtrans_chkpwd(icinga2_t)
allow icinga2_t chkpwd_t:process { noatsecure rlimitinh siginh };
selinux_compute_access_vector(icinga2_t)
dbus_send_system_bus(icinga2_t)
dbus_stream_connect_system_dbusd(icinga2_t)
systemd_dbus_chat_logind(icinga2_t)
# Without this it works but is very slow
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
')
optional_policy(`
tunable_policy(`icinga2_run_sudo',`
sudo_exec(icinga2_t)
')
')
########################################
#
# Icinga Webinterfaces
#
optional_policy(`
# should be a boolean in apache-policy
tunable_policy(`httpd_can_write_icinga2_command',`
icinga2_send_commands(httpd_t)
')
')
optional_policy(`
# should be a boolean in apache-policy
tunable_policy(`httpd_can_connect_icinga2_api',`
corenet_tcp_connect_icinga2_port(httpd_t)
')
')
########################################
#
# Icinga2 Admin Role
#
role icinga2adm_r;
userdom_unpriv_user_template(icinga2adm)
icinga2_admin(icinga2adm_t, icinga2adm_r)
allow icinga2adm_t self:capability { dac_read_search dac_override };
# should be moved to staff.te
icinga2adm_role_change(staff_r)
# should be moved to nagios_plugin_template in nagios.if
icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)