1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
policy_module(icinga2, 0.2.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow Icinga 2 to connect to all ports
## </p>
## </desc>
gen_tunable(icinga2_can_connect_all, false)
## <desc>
## <p>
## Allow Apache to connect to Icinga 2 API
## </p>
## </desc>
gen_tunable(httpd_can_connect_icinga2_api, true)
## <desc>
## <p>
## Allow Apache to write into Icinga 2 Commandpipe
## </p>
## </desc>
gen_tunable(httpd_can_write_icinga2_command, true)
## <desc>
## <p>
## Allow Icinga 2 to run plugins via sudo
## </p>
## </desc>
gen_tunable(icinga2_run_sudo, false)
require {
type nagios_admin_plugin_t; type nagios_admin_plugin_exec_t;
type nagios_checkdisk_plugin_t; type nagios_checkdisk_plugin_exec_t;
type nagios_mail_plugin_t; type nagios_mail_plugin_exec_t;
type nagios_services_plugin_t; type nagios_services_plugin_exec_t;
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
type redis_t; type redis_var_run_t; type redis_port_t;
type devlog_t;
role staff_r;
attribute unreserved_port_type;
}
type icinga2_t;
type icinga2_exec_t;
init_daemon_domain(icinga2_t, icinga2_exec_t)
#permissive icinga2_t;
type icinga2_initrc_exec_t;
init_script_file(icinga2_initrc_exec_t)
type icinga2_unit_file_t;
systemd_unit_file(icinga2_unit_file_t)
type icinga2_etc_t;
files_config_file(icinga2_etc_t)
type icinga2_log_t;
logging_log_file(icinga2_log_t)
type icinga2_var_lib_t;
files_type(icinga2_var_lib_t)
type icinga2_var_run_t;
files_pid_file(icinga2_var_run_t)
type icinga2_command_t;
files_type(icinga2_command_t)
type icinga2_spool_t;
files_type(icinga2_spool_t)
type icinga2_cache_t;
files_type(icinga2_cache_t)
type icinga2_tmp_t;
files_tmp_file(icinga2_tmp_t)
type icinga2_port_t;
# There is no interface for unreserved_port_type
typeattribute icinga2_port_t unreserved_port_type;
corenet_port(icinga2_port_t)
########################################
#
# icinga2 local policy
#
allow icinga2_t self:capability { setgid setuid sys_resource kill };
allow icinga2_t self:process { setsched signal setrlimit };
allow icinga2_t self:fifo_file rw_fifo_file_perms;
allow icinga2_t self:unix_dgram_socket create_socket_perms;
allow icinga2_t self:unix_stream_socket create_stream_socket_perms;
allow icinga2_t icinga2_exec_t:file execute_no_trans;
list_dirs_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
read_lnk_files_pattern(icinga2_t, icinga2_etc_t, icinga2_etc_t)
manage_dirs_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
manage_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
manage_lnk_files_pattern(icinga2_t, icinga2_log_t, icinga2_log_t)
logging_log_filetrans(icinga2_t, icinga2_log_t, { dir file lnk_file })
manage_dirs_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
manage_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
manage_lnk_files_pattern(icinga2_t, icinga2_var_lib_t, icinga2_var_lib_t)
files_var_lib_filetrans(icinga2_t, icinga2_var_lib_t, { dir file lnk_file })
manage_dirs_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
manage_files_pattern(icinga2_t, icinga2_var_run_t, icinga2_var_run_t)
files_pid_filetrans(icinga2_t, icinga2_var_run_t, { dir file })
manage_dirs_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_fifo_files_pattern(icinga2_t, icinga2_command_t, icinga2_command_t)
manage_dirs_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
manage_files_pattern(icinga2_t, icinga2_spool_t, icinga2_spool_t)
files_spool_filetrans(icinga2_t, icinga2_spool_t, { dir file })
manage_dirs_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
manage_files_pattern(icinga2_t, icinga2_cache_t, icinga2_cache_t)
manage_files_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
manage_dirs_pattern(icinga2_t, icinga2_tmp_t, icinga2_tmp_t)
files_tmp_filetrans(icinga2_t, icinga2_tmp_t, { dir file })
domain_use_interactive_fds(icinga2_t)
files_read_etc_files(icinga2_t)
auth_use_nsswitch(icinga2_t)
miscfiles_read_localization(icinga2_t)
corecmd_exec_shell(icinga2_t)
corecmd_exec_bin(icinga2_t)
kernel_read_system_state(icinga2_t)
kernel_read_network_state(icinga2_t)
kernel_dgram_send(icinga2_t)
# should be moved to nagios_plugin_template in nagios.if
icinga2_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
icinga2_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
icinga2_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
icinga2_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
# should be moved nagios.te
nagios_plugin_template(notification)
icinga2_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
allow nagios_notification_plugin_t icinga2_etc_t:dir search;
allow nagios_notification_plugin_t nagios_notification_plugin_exec_t:dir search;
#permissive nagios_notification_plugin_t;
corecmd_exec_bin(nagios_notification_plugin_t)
hostname_exec(nagios_notification_plugin_t)
type nagios_notification_plugin_tmp_t;
files_tmp_file(nagios_notification_plugin_tmp_t)
manage_files_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
manage_dirs_pattern(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, nagios_notification_plugin_tmp_t)
files_tmp_filetrans(nagios_notification_plugin_t, nagios_notification_plugin_tmp_t, { dir file })
fs_dontaudit_getattr_xattr_fs(nagios_notification_plugin_t)
optional_policy(`
mta_send_mail(nagios_notification_plugin_t)
')
icinga2_dontaudit_leaks_fifo(system_mail_t)
# direct smtp notification
corenet_tcp_connect_smtp_port(nagios_notification_plugin_t)
# hipsaint notification
auth_read_passwd(nagios_notification_plugin_t)
sysnet_read_config(nagios_notification_plugin_t)
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:netlink_route_socket create_netlink_socket_perms;
corenet_tcp_connect_http_port(nagios_notification_plugin_t)
miscfiles_read_generic_certs(nagios_notification_plugin_t)
allow icinga2_t icinga2_port_t:tcp_socket name_bind;
allow icinga2_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_connect_icinga2_port(icinga2_t)
mysql_stream_connect(icinga2_t)
mysql_tcp_connect(icinga2_t)
postgresql_stream_connect(icinga2_t)
postgresql_tcp_connect(icinga2_t)
# graphite is using port 2003 which is lmtp_port_t
corenet_tcp_connect_lmtp_port(icinga2_t)
# Allow icinga2 to connect to redis using unix domain sockets
stream_connect_pattern(icinga2_t, redis_var_run_t, redis_var_run_t, redis_t)
# Just like `redis_tcp_connect(icinga2_t)`, though this interface does not exist on centos7
corenet_tcp_recvfrom_labeled(icinga2_t, redis_t)
corenet_tcp_sendrecv_redis_port(icinga2_t)
corenet_tcp_connect_redis_port(icinga2_t)
# This is for other feature that do not use a confined port
# or if you run one one with a non standard port.
tunable_policy(`icinga2_can_connect_all',`
corenet_tcp_connect_all_ports(icinga2_t)
')
# This is for plugins requiring to be executed via sudo
tunable_policy(`icinga2_run_sudo',`
allow icinga2_t self:capability { audit_write net_admin };
allow icinga2_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow icinga2_t devlog_t:sock_file write;
init_read_utmp(icinga2_t)
auth_domtrans_chkpwd(icinga2_t)
allow icinga2_t chkpwd_t:process { noatsecure rlimitinh siginh };
selinux_compute_access_vector(icinga2_t)
dbus_send_system_bus(icinga2_t)
dbus_stream_connect_system_dbusd(icinga2_t)
systemd_dbus_chat_logind(icinga2_t)
# Without this it works but is very slow
systemd_write_inherited_logind_sessions_pipes(icinga2_t)
')
optional_policy(`
tunable_policy(`icinga2_run_sudo',`
sudo_exec(icinga2_t)
')
')
########################################
#
# Icinga Webinterfaces
#
optional_policy(`
# should be a boolean in apache-policy
tunable_policy(`httpd_can_write_icinga2_command',`
icinga2_send_commands(httpd_t)
')
')
optional_policy(`
# should be a boolean in apache-policy
tunable_policy(`httpd_can_connect_icinga2_api',`
corenet_tcp_connect_icinga2_port(httpd_t)
')
')
########################################
#
# Icinga2 Admin Role
#
userdom_unpriv_user_template(icinga2adm)
icinga2_admin(icinga2adm_t, icinga2adm_r)
allow icinga2adm_t self:capability { dac_read_search dac_override };
# should be moved to staff.te
icinga2adm_role_change(staff_r)
# should be moved to nagios_plugin_template in nagios.if
icinga2adm_execstrans(nagios_admin_plugin_exec_t, nagios_admin_plugin_t)
icinga2adm_execstrans(nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
icinga2adm_execstrans(nagios_mail_plugin_exec_t, nagios_mail_plugin_t)
icinga2adm_execstrans(nagios_services_plugin_exec_t, nagios_services_plugin_t)
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
|