selinux-policy/policy/modules/services/nagios.te
Dominick Grift 18f2a72d7f Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.

Whitespace, newline and tab fixes.
2010-09-23 14:59:23 +02:00

391 lines
10 KiB
Plaintext

policy_module(nagios, 1.9.1)
########################################
#
# Declarations
#
type nagios_t;
type nagios_exec_t;
init_daemon_domain(nagios_t, nagios_exec_t)
type nagios_etc_t;
files_config_file(nagios_etc_t)
type nagios_initrc_exec_t;
init_script_file(nagios_initrc_exec_t)
type nagios_log_t;
logging_log_file(nagios_log_t)
type nagios_tmp_t;
files_tmp_file(nagios_tmp_t)
type nagios_var_run_t;
files_pid_file(nagios_var_run_t)
type nagios_spool_t;
files_type(nagios_spool_t)
nagios_plugin_template(admin)
nagios_plugin_template(checkdisk)
nagios_plugin_template(mail)
nagios_plugin_template(services)
nagios_plugin_template(system)
nagios_plugin_template(unconfined)
type nagios_system_plugin_tmp_t;
files_tmp_file(nagios_system_plugin_tmp_t)
type nrpe_t;
type nrpe_exec_t;
init_daemon_domain(nrpe_t, nrpe_exec_t)
type nrpe_etc_t;
files_config_file(nrpe_etc_t)
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
########################################
#
# Nagios local policy
#
allow nagios_t self:capability { dac_override setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:tcp_socket create_stream_socket_perms;
allow nagios_t self:udp_socket create_socket_perms;
read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
allow nagios_t nagios_etc_t:dir list_dir_perms;
manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
corenet_all_recvfrom_unlabeled(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
corenet_udp_sendrecv_generic_node(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
domain_use_interactive_fds(nagios_t)
# for ps
domain_read_all_domains_state(nagios_t)
files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t)
files_read_usr_files(nagios_t)
fs_getattr_all_fs(nagios_t)
fs_search_auto_mountpoints(nagios_t)
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
miscfiles_read_localization(nagios_t)
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
mta_signal_system_mail(nagios_t)
mta_kill_system_mail(nagios_t)
optional_policy(`
netutils_kill_ping(nagios_t)
')
optional_policy(`
seutil_sigchld_newrole(nagios_t)
')
optional_policy(`
udev_read_db(nagios_t)
')
########################################
#
# Nagios CGI local policy
#
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
allow httpd_nagios_script_t self:process signal_perms;
read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
files_search_spool(httpd_nagios_script_t)
rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
kernel_read_system_state(httpd_nagios_script_t)
domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
files_read_etc_runtime_files(httpd_nagios_script_t)
files_read_kernel_symbol_table(httpd_nagios_script_t)
logging_send_syslog_msg(httpd_nagios_script_t)
')
########################################
#
# Nagios remote plugin executor local policy
#
allow nrpe_t self:capability { setuid setgid };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
allow nrpe_t self:tcp_socket create_stream_socket_perms;
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
files_search_etc(nrpe_t)
manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
corenet_sendrecv_unlabeled_packets(nrpe_t)
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
files_read_etc_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
miscfiles_read_localization(nrpe_t)
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
optional_policy(`
mta_send_mail(nrpe_t)
')
optional_policy(`
seutil_sigchld_newrole(nrpe_t)
')
optional_policy(`
tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
')
optional_policy(`
udev_read_db(nrpe_t)
')
#####################################
#
# local policy for admin check plugins
#
corecmd_read_bin_files(nagios_admin_plugin_t)
corecmd_read_bin_symlinks(nagios_admin_plugin_t)
dev_read_urand(nagios_admin_plugin_t)
dev_getattr_all_chr_files(nagios_admin_plugin_t)
dev_getattr_all_blk_files(nagios_admin_plugin_t)
files_read_etc_files(nagios_admin_plugin_t)
# for check_file_age plugin
files_getattr_all_dirs(nagios_admin_plugin_t)
files_getattr_all_files(nagios_admin_plugin_t)
files_getattr_all_symlinks(nagios_admin_plugin_t)
files_getattr_all_pipes(nagios_admin_plugin_t)
files_getattr_all_sockets(nagios_admin_plugin_t)
files_getattr_all_file_type_fs(nagios_admin_plugin_t)
######################################
#
# local policy for mail check plugins
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
kernel_read_system_state(nagios_mail_plugin_t)
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
dev_read_urand(nagios_mail_plugin_t)
files_read_etc_files(nagios_mail_plugin_t)
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_read_config(nagios_mail_plugin_t)
optional_policy(`
mta_send_mail(nagios_mail_plugin_t)
')
optional_policy(`
nscd_dontaudit_search_pid(nagios_mail_plugin_t)
')
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
posftix_exec_postqueue(nagios_mail_plugin_t)
')
######################################
#
# local policy for disk check plugins
#
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
#######################################
#
# local policy for service check plugins
#
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
corecmd_exec_bin(nagios_services_plugin_t)
corenet_tcp_connect_all_ports(nagios_services_plugin_t)
corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
auth_use_nsswitch(nagios_services_plugin_t)
domain_read_all_domains_state(nagios_services_plugin_t)
files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
netutils_signal_ping(nagios_services_plugin_t)
netutils_kill_ping(nagios_services_plugin_t)
')
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
')
optional_policy(`
snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
')
######################################
#
# local policy for system check plugins
#
allow nagios_system_plugin_t self:capability dac_override;
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
# check_log
manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
dev_read_urand(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
files_read_etc_files(nagios_system_plugin_t)
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
########################################
#
# Unconfined plugin policy
#
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')