From Debian package 0.0.20080702-16
Parts merged upstream in 99bbe348 (2010-05-24)
Updated in 0.2.20100524-2
0.0.20080702-16:
Label /usr/sbin/nrpe and allow it to search nagios_etc_t:dir, read etc_t
files, do setgid() and setuid(), create a pidfile, bind to port 5666, stat
filesystems, get a list of processes, and check mysql and postgresql
databases.
0.2.20100524-2:
* Allow nrpe_t to execute sudo and search /var/spool
also don't audit capability sys_resource.
Add can_exec_sudo interface
Some lines are duplicates after upstream 99bbe348 (2010-05-24)
Index: policy/modules/services/nagios.fc
===================================================================
--- policy/modules/services/nagios.fc.orig
+++ policy/modules/services/nagios.fc
@@ -1,7 +1,9 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios/nrpe\.* -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+ifndef(`distro_debian', `
/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+')
/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
Index: policy/modules/services/nagios.te
===================================================================
--- policy/modules/services/nagios.te.orig
+++ policy/modules/services/nagios.te
@@ -193,6 +193,12 @@
manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+type nrpe_tmp_t;
+files_tmp_file(nrpe_tmp_t)
+manage_dirs_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+manage_files_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+files_tmp_filetrans(nrpe_t, nrpe_tmp_t, { file dir })
+
kernel_read_system_state(nrpe_t)
kernel_read_kernel_sysctls(nrpe_t)
@@ -202,6 +208,16 @@
corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t)
corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
+corenet_tcp_sendrecv_all_if(nrpe_t)
+corenet_tcp_sendrecv_all_nodes(nrpe_t)
+corenet_tcp_sendrecv_generic_port(nrpe_t)
+corenet_tcp_bind_all_nodes(nrpe_t)
+corenet_tcp_bind_nrpe_port(nrpe_t)
+sysnet_dns_name_resolve(nrpe_t)
+
+allow nrpe_t self:netlink_route_socket create_netlink_socket_perms;
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
@@ -223,6 +239,15 @@
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+fs_getattr_all_fs(nrpe_t)
+storage_getattr_fixed_disk_dev(nrpe_t)
+init_read_utmp(nrpe_t)
+
+term_dontaudit_getattr_all_user_ttys(nrpe_t)
+term_dontaudit_getattr_unallocated_ttys(nrpe_t)
+term_dontaudit_getattr_all_user_ptys(nrpe_t)
+
optional_policy(`
inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
')
@@ -270,6 +295,7 @@
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+dontaudit nagios_mail_plugin_t self:capability { sys_resource };
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -294,12 +320,18 @@
')
optional_policy(`
+ can_exec_sudo(nagios_mail_plugin_t)
+')
+
+optional_policy(`
nscd_dontaudit_search_pid(nagios_mail_plugin_t)
')
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
posftix_exec_postqueue(nagios_mail_plugin_t)
+ postfix_list_spool(nagios_mail_plugin_t)
+ postfix_read_spool_files(nagios_mail_plugin_t)
')
######################################
@@ -390,3 +422,14 @@
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
+
+optional_policy(`
+ mysql_tcp_connect(nrpe_t)
+ mysql_stream_connect(nrpe_t)
+ mysql_read_config(nrpe_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(nrpe_t)
+ postgresql_stream_connect(nrpe_t)
+')
Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in.orig
+++ policy/modules/kernel/corenetwork.te.in
@@ -128,7 +128,7 @@
network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
network_port(innd, tcp,119,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
@@ -165,6 +165,7 @@
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
+network_port(nrpe, tcp,5666,s0)
network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
Index: policy/modules/admin/sudo.if
===================================================================
--- policy/modules/admin/sudo.if.orig
+++ policy/modules/admin/sudo.if
@@ -177,3 +177,29 @@
allow $1 sudodomain:process sigchld;
')
+
+#######################################
+##
+## Execute sudo_exec_t without a domain transition
+##
+##
+##
+## This interface allows a domain to execute sudo_exec_t without a
+## domain transition. It is for daemons that already have setuid
+## access but are running as uid != 0.
+##
+##
+##
+##
+## The domain that can execute sudo.
+##
+##
+#
+template(`can_exec_sudo',`
+
+ gen_require(`
+ type sudo_exec_t;
+ ')
+
+ can_exec($1, sudo_exec_t)
+')