selinux-policy/policy/modules/services/nagios.if

## <summary>Net Saint / NAGIOS - network monitoring server</summary>

########################################
## <summary>
##	Create a set of derived types for various
##	nagios plugins,
## </summary>
## <param name="plugins_group_name">
##	<summary>
##	The name to be used for deriving type names.
##	</summary>
## </param>
#
template(`nagios_plugin_template',`
	gen_require(`
		type nagios_t, nrpe_t, nagios_log_t;
	')

	type nagios_$1_plugin_t;
	type nagios_$1_plugin_exec_t;
	application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
	role system_r types nagios_$1_plugin_t;

	allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;

	domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
	allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };

	# needed by command.cfg
	domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)

	allow nagios_t nagios_$1_plugin_t:process signal_perms;

	# cjp: leaked file descriptor
	dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };

	miscfiles_read_localization(nagios_$1_plugin_t)
')

########################################
## <summary>
##	Do not audit attempts to read or write nagios
##	unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`nagios_dontaudit_rw_pipes',`
	gen_require(`
		type nagios_t;
	')

	dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
##	Allow the specified domain to read
##	nagios configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`nagios_read_config',`
	gen_require(`
		type nagios_etc_t;
	')

	allow $1 nagios_etc_t:dir list_dir_perms;
	allow $1 nagios_etc_t:file read_file_perms;
	files_search_etc($1)
')

######################################
## <summary>
##	Read nagios logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nagios_read_log',`
	gen_require(`
		type nagios_log_t;
	')

	logging_search_logs($1)
	read_files_pattern($1, nagios_log_t, nagios_log_t)
')

########################################
## <summary>
##	Do not audit attempts to read or write nagios logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`nagios_dontaudit_rw_log',`
	gen_require(`
		type nagios_log_t;
	')

	dontaudit $1 nagios_log_t:file rw_file_perms;
')

########################################
## <summary>
##	Search nagios spool directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nagios_search_spool',`
	gen_require(`
		type nagios_spool_t;
	')

	allow $1 nagios_spool_t:dir search_dir_perms;
	files_search_spool($1)
')

########################################
## <summary>
##	Allow the specified domain to read
##	nagios temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nagios_read_tmp_files',`
	gen_require(`
		type nagios_tmp_t;
	')

	allow $1 nagios_tmp_t:file read_file_perms;
	files_search_tmp($1)
')

########################################
## <summary>
##	Allow the specified domain to read
##	nagios temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nagios_rw_inerited_tmp_files',`
	gen_require(`
		type nagios_tmp_t;
	')

	allow $1 nagios_tmp_t:file rw_inherited_file_perms;
	files_search_tmp($1)
')

########################################
## <summary>
##	Execute the nagios NRPE with
##	a domain transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`nagios_domtrans_nrpe',`
	gen_require(`
		type nrpe_t, nrpe_exec_t;
	')

	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an nagios environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the nagios domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`nagios_admin',`
	gen_require(`
		type nagios_t, nrpe_t, nagios_initrc_exec_t;
		type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
		type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
	')

	allow $1 nagios_t:process { ptrace signal_perms };
	ps_process_pattern($1, nagios_t)

	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 nagios_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_tmp($1)
	admin_pattern($1, nagios_tmp_t)

	logging_list_logs($1)
	admin_pattern($1, nagios_log_t)

	files_list_etc($1)
	admin_pattern($1, nagios_etc_t)

	files_list_spool($1)
	admin_pattern($1, nagios_spool_t)

	files_list_pids($1)
	admin_pattern($1, nagios_var_run_t)

	admin_pattern($1, nrpe_etc_t)
')
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## <summary>Net Saint / NAGIOS - network monitoring server</summary>`

Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00			`########################################`
			`## <summary>`
			`## Create a set of derived types for various`
			`## nagios plugins,`
			`## </summary>`
			`## <param name="plugins_group_name">`
			`## <summary>`
			`## The name to be used for deriving type names.`
			`## </summary>`
			`## </param>`
			`#`
			template(`nagios_plugin_template',`
			gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 959aa527a5394d23b994ecf75347d2445106d0c4 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squach me with 779a708452142d6e4ac2ba2a158f724782a03291 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 89180ea115794aadddaa9b356ab1dfcdc9ff102 2010-09-20 10:09:09 +00:00			`type nagios_t, nrpe_t, nagios_log_t;`
Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00			`')`

			`type nagios_$1_plugin_t;`
			`type nagios_$1_plugin_exec_t;`
			`application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)`
			`role system_r types nagios_$1_plugin_t;`

			`allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;`

			`domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)`
Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc Allow shutdown to write utmp and search /var/log Allow mozilla_plugin to send nsplugin signals Split out samba_run_unconfined_net from unconfined_domain stuff. TO allow unconfined.pp module to be removed Allow nrpe to send signal and sigkill to the plugins Fix up xguest to allow it to read hwdata and gconf_etc_t Allow initrc_t to manage faillog 2010-09-22 20:42:32 +00:00			`allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };`
Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00
			`# needed by command.cfg`
			`domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)`

			`allow nagios_t nagios_$1_plugin_t:process signal_perms;`

			`# cjp: leaked file descriptor`
			`dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };`
			`dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };`

			`miscfiles_read_localization(nagios_$1_plugin_t)`
			`')`

trunk: 6 patches from dan. 2009-06-11 15:00:48 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to read or write nagios`
			`## unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_dontaudit_rw_pipes',`
			gen_require(`
			`type nagios_t;`
			`')`

			`dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;`
			`')`

add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`########################################`
			`## <summary>`
			`## Allow the specified domain to read`
			`## nagios configuration files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`#`
			interface(`nagios_read_config',`
			gen_require(`
			`type nagios_etc_t;`
			`')`

			`allow $1 nagios_etc_t:dir list_dir_perms;`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 nagios_etc_t:file read_file_perms;`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`files_search_etc($1)`
			`')`

Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00			`######################################`
			`## <summary>`
			`## Read nagios logs.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_read_log',`
			gen_require(`
			`type nagios_log_t;`
			`')`

			`logging_search_logs($1)`
			`read_files_pattern($1, nagios_log_t, nagios_log_t)`
			`')`

Netutils patch from Dan Walsh. ping gets leaked log descriptor from nagios. Label send_arp as ping_exec_t 2010-06-17 14:16:19 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to read or write nagios logs.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_dontaudit_rw_log',`
			gen_require(`
			`type nagios_log_t;`
			`')`

			`dontaudit $1 nagios_log_t:file rw_file_perms;`
			`')`

Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00			`########################################`
			`## <summary>`
			`## Search nagios spool directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_search_spool',`
			gen_require(`
			`type nagios_spool_t;`
			`')`

			`allow $1 nagios_spool_t:dir search_dir_perms;`
			`files_search_spool($1)`
			`')`

add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`########################################`
			`## <summary>`
			`## Allow the specified domain to read`
			`## nagios temporary files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_read_tmp_files',`
			gen_require(`
			`type nagios_tmp_t;`
			`')`

merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 nagios_tmp_t:file read_file_perms;`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`files_search_tmp($1)`
			`')`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`########################################`
			`## <summary>`
			`## Allow the specified domain to read`
			`## nagios temporary files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_rw_inerited_tmp_files',`
			gen_require(`
			`type nagios_tmp_t;`
			`')`

			`allow $1 nagios_tmp_t:file rw_inherited_file_perms;`
			`files_search_tmp($1)`
			`')`

add nrpe to nagios, bug 1533 2006-04-27 16:37:40 +00:00			`########################################`
			`## <summary>`
			`## Execute the nagios NRPE with`
			`## a domain transition.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
add nrpe to nagios, bug 1533 2006-04-27 16:37:40 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`nagios_domtrans_nrpe',`
			gen_require(`
			`type nrpe_t, nrpe_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, nrpe_exec_t, nrpe_t)`
add nrpe to nagios, bug 1533 2006-04-27 16:37:40 +00:00			`')`
Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00
			`########################################`
			`## <summary>`
			`## All of the rules required to administrate`
			`## an nagios environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the nagios domain.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`nagios_admin',`
			gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 959aa527a5394d23b994ecf75347d2445106d0c4 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squach me with 779a708452142d6e4ac2ba2a158f724782a03291 Replace type and attributes statements by comma delimiters where possible. Syntax error. Squash me with 89180ea115794aadddaa9b356ab1dfcdc9ff102 2010-09-20 10:09:09 +00:00			`type nagios_t, nrpe_t, nagios_initrc_exec_t;`
			`type nagios_tmp_t, nagios_log_t, nagios_var_run_t;`
			`type nagios_etc_t, nrpe_etc_t, nagios_spool_t;`
Nagios patch from Dan Walsh Edits: - Removed permissive lines - Removed tunable for broken symptoms - Style and whitespace fixes 2010-05-24 13:42:59 +00:00			`')`

			`allow $1 nagios_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, nagios_t)`

			`init_labeled_script_domtrans($1, nagios_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 nagios_initrc_exec_t system_r;`
			`allow $2 system_r;`

			`files_list_tmp($1)`
			`admin_pattern($1, nagios_tmp_t)`

			`logging_list_logs($1)`
			`admin_pattern($1, nagios_log_t)`

			`files_list_etc($1)`
			`admin_pattern($1, nagios_etc_t)`

			`files_list_spool($1)`
			`admin_pattern($1, nagios_spool_t)`

			`files_list_pids($1)`
			`admin_pattern($1, nagios_var_run_t)`

			`admin_pattern($1, nrpe_etc_t)`
			`')`