## Net Saint / NAGIOS - network monitoring server ######################################## ## ## Create a set of derived types for various ## nagios plugins, ## ## ## ## The name to be used for deriving type names. ## ## # template(`nagios_plugin_template',` gen_require(` type nagios_t, nrpe_t; type nagios_log_t; ') type nagios_$1_plugin_t; type nagios_$1_plugin_exec_t; application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) role system_r types nagios_$1_plugin_t; allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) allow nagios_t nagios_$1_plugin_t:process signal_perms; # cjp: leaked file descriptor dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; miscfiles_read_localization(nagios_$1_plugin_t) ') ######################################## ## ## Do not audit attempts to read or write nagios ## unnamed pipes. ## ## ## ## Domain to not audit. ## ## ## # interface(`nagios_dontaudit_rw_pipes',` gen_require(` type nagios_t; ') dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Allow the specified domain to read ## nagios configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`nagios_read_config',` gen_require(` type nagios_etc_t; ') allow $1 nagios_etc_t:dir list_dir_perms; allow $1 nagios_etc_t:file read_file_perms; files_search_etc($1) ') ###################################### ## ## Read nagios logs. ## ## ## ## Domain allowed access. ## ## # interface(`nagios_read_log',` gen_require(` type nagios_log_t; ') logging_search_logs($1) read_files_pattern($1, nagios_log_t, nagios_log_t) ') ######################################## ## ## Do not audit attempts to read or write nagios logs. ## ## ## ## Domain to not audit. ## ## # interface(`nagios_dontaudit_rw_log',` gen_require(` type nagios_log_t; ') dontaudit $1 nagios_log_t:file rw_file_perms; ') ######################################## ## ## Search nagios spool directories. ## ## ## ## Domain allowed access. ## ## # interface(`nagios_search_spool',` gen_require(` type nagios_spool_t; ') allow $1 nagios_spool_t:dir search_dir_perms; files_search_spool($1) ') ######################################## ## ## Allow the specified domain to read ## nagios temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`nagios_read_tmp_files',` gen_require(` type nagios_tmp_t; ') allow $1 nagios_tmp_t:file read_file_perms; files_search_tmp($1) ') ######################################## ## ## Execute the nagios NRPE with ## a domain transition. ## ## ## ## Domain allowed access. ## ## # interface(`nagios_domtrans_nrpe',` gen_require(` type nrpe_t, nrpe_exec_t; ') domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') ######################################## ## ## All of the rules required to administrate ## an nagios environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the nagios domain. ## ## ## # interface(`nagios_admin',` gen_require(` type nagios_t, nrpe_t; type nagios_tmp_t, nagios_log_t; type nagios_etc_t, nrpe_etc_t; type nagios_spool_t, nagios_var_run_t; type nagios_initrc_exec_t; ') allow $1 nagios_t:process { ptrace signal_perms }; ps_process_pattern($1, nagios_t) init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 nagios_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, nagios_tmp_t) logging_list_logs($1) admin_pattern($1, nagios_log_t) files_list_etc($1) admin_pattern($1, nagios_etc_t) files_list_spool($1) admin_pattern($1, nagios_spool_t) files_list_pids($1) admin_pattern($1, nagios_var_run_t) admin_pattern($1, nrpe_etc_t) ')