Re: [patch] policy for nrpe

[Thomas Bleher <bleher@informatik.uni-muenchen.de>]

[-- Attachment #1.1: Type: text/plain, Size: 973 bytes --]

* Russell Coker <russell@coker.com.au> [2004-05-25 06:37]:
> On Mon, 24 May 2004 07:44, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > The attached patch adds policy support for nrpe.
> > (nrpe stands for Nagios Remote Plugin Execution and is a client called
> > from inetd which performs checks on a client on behalf of a Nagios
> > server)
> 
> I have made a couple of changes.  I have labeled the port as inetd_port_t, 
> there seems to be no benefit in having a different type as only inetd is used 
> for binding to the port.  I have added support for running directly from 
> inetd without tcpd (my personal preference for such things is to run nagios 
> on the internal network and use netfilter to control access).

This looks good to me. I have attached the modified patch.

Thanks,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: nrpe.patch --]
[-- Type: text/plain, Size: 2305 bytes --]

diff -urN orig/domains/program/nrpe.te mod/domains/program/nrpe.te
--- orig/domains/program/nrpe.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/nrpe.te	2004-05-25 10:59:25.558086504 +0200
@@ -0,0 +1,38 @@
+# DESC nrpe - Nagios Remote Plugin Execution
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# X-Debian-Packages: nagios-nrpe-server
+#
+# This policy assumes that nrpe is called from inetd
+
+daemon_base_domain(nrpe)
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
+')
+domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
+
+allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
+
+allow nrpe_t self:fifo_file rw_file_perms;
+# use sockets inherited from inetd
+allow nrpe_t inetd_t:tcp_socket { ioctl read write };
+allow nrpe_t devtty_t:chr_file { read write };
+
+allow nrpe_t self:process setpgid;
+
+etc_domain(nrpe)
+
+# permissions for the scripts executed by nrpe
+#
+# call shell programs
+can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
+allow nrpe_t { bin_t sbin_t }:dir search;
+# for /bin/sh
+allow nrpe_t bin_t:lnk_file read;
+
+# read /proc/meminfo, /proc/self/mounts and /etc/mtab
+allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
+
+# you will have to add more permissions here, depending on the scripts you call!
+
diff -urN orig/file_contexts/program/nrpe.fc mod/file_contexts/program/nrpe.fc
--- orig/file_contexts/program/nrpe.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/nrpe.fc	2004-05-25 10:59:34.238766840 +0200
@@ -0,0 +1,6 @@
+# nrpe
+/usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
+/etc/nagios/nrpe.cfg	--	system_u:object_r:nrpe_etc_t
+/usr/lib/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
+
diff -urN orig/net_contexts mod/net_contexts
--- orig/net_contexts	2004-05-25 10:58:52.402126976 +0200
+++ mod/net_contexts	2004-05-25 10:43:06.000000000 +0200
@@ -142,6 +142,7 @@
 portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
 ')
 ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_port_t')
 ifdef(`use_x_ports', `
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]