[patch] policy for nrpe

[patch] policy for nrpe

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 363 bytes --]

The attached patch adds policy support for nrpe.
(nrpe stands for Nagios Remote Plugin Execution and is a client called
from inetd which performs checks on a client on behalf of a Nagios
server)

Please apply.
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: nrpe.patch --]
[-- Type: text/plain, Size: 2598 bytes --]

--- orig/domains/program/unused/nrpe.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/unused/nrpe.te	2004-05-23 23:28:33.000000000 +0200
@@ -0,0 +1,39 @@
+# DESC nrpe - Nagios Remote Plugin Execution
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# Depends: tcpd.te
+# X-Debian-Packages: nagios-nrpe-server
+#
+# This policy assumes that nrpe is called from inetd
+
+type nrpe_port_t, port_type;
+
+daemon_base_domain(nrpe)
+domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
+
+allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
+
+allow nrpe_t self:fifo_file rw_file_perms;
+# use sockets inherited from inetd
+allow nrpe_t inetd_t:tcp_socket { ioctl read write };
+allow nrpe_t inetd_t:fd { use };
+allow nrpe_t inetd_t:process { sigchld };
+allow nrpe_t devtty_t:chr_file { read write };
+
+allow nrpe_t self:process setpgid;
+
+etc_domain(nrpe)
+
+# permissions for the scripts executed by nrpe
+#
+# call shell programs
+can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
+allow nrpe_t { bin_t sbin_t }:dir search;
+# for /bin/sh
+allow nrpe_t bin_t:lnk_file read;
+
+# read /proc/meminfo, /proc/self/mounts and /etc/mtab
+allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
+
+# you will have to add more permissions here, depending on the scripts you call!
--- orig/file_contexts/program/nrpe.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/nrpe.fc	2004-05-23 23:28:13.000000000 +0200
@@ -0,0 +1,5 @@
+# nrpe
+/usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
+/etc/nagios/nrpe.cfg	--	system_u:object_r:nrpe_etc_t
+/usr/lib/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
--- orig/net_contexts
+++ mod/net_contexts
@@ -142,6 +142,7 @@
 portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
 ')
 ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:nrpe_port_t')
 ifdef(`use_x_ports', `
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
--- orig/domains/program/unused/inetd.te
+++ mod/domains/program/inetd.te
@@ -54,6 +54,7 @@
 ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
 ifdef(`amanda.te', `allow inetd_t amanda_port_t:tcp_socket name_bind;')
 ifdef(`swat.te', `allow inetd_t swat_port_t:tcp_socket name_bind;')
+ifdef(`nrpe.te', `allow inetd_t nrpe_port_t:tcp_socket name_bind;')
 ifdef(`amanda.te', `
 allow inetd_t biff_port_t:tcp_socket name_bind;
 allow inetd_t biff_port_t:udp_socket name_bind;

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [patch] policy for nrpe

[Russell Coker]

On Mon, 24 May 2004 07:44, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> The attached patch adds policy support for nrpe.
> (nrpe stands for Nagios Remote Plugin Execution and is a client called
> from inetd which performs checks on a client on behalf of a Nagios
> server)

We currently have a netsaint.te in the policy, should we change that to 
nagios.te?  Should we include the nrpe stuff in the main netsaint.te or 
nagios.te file or is it best to keep client and server stuff separate?

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] policy for nrpe

[Thomas Bleher]

* Russell Coker <rcoker@redhat.com> [2004-05-24 02:56]:
> On Mon, 24 May 2004 07:44, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > The attached patch adds policy support for nrpe.
> > (nrpe stands for Nagios Remote Plugin Execution and is a client called
> > from inetd which performs checks on a client on behalf of a Nagios
> > server)
> 
> We currently have a netsaint.te in the policy, should we change that to 
> nagios.te?  

Yes, I think it would be best to change the name.

> Should we include the nrpe stuff in the main netsaint.te or 
> nagios.te file or is it best to keep client and server stuff separate?

It should be kept separate. Typically you have one server running
Nagios, but many or all clients running nrpe. So it makes sense to
keep the policy separate.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [patch] policy for nrpe

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 569 bytes --]

On Mon, 24 May 2004 19:09, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> > We currently have a netsaint.te in the policy, should we change that to
> > nagios.te?
>
> Yes, I think it would be best to change the name.

OK, I've attached nagios.te and nagios.fc to replace netsaint.te and 
netsaint.fc.  I have not made any changes other than the renaming.  I have 
not put in typealias rules because I don't believe that my netsaint policy 
got enough use to make compatibility an issue.

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

[-- Attachment #2: nagios.fc --]
[-- Type: text/plain, Size: 400 bytes --]

# netsaint - network monitoring server
/usr/sbin/netsaint		--	system_u:object_r:nagios_exec_t
#/var/run/netsaint(/.*)?		system_u:object_r:nagios_var_run_t
/etc/netsaint(/.*)?			system_u:object_r:nagios_etc_t
/var/log/netsaint(/.*)?			system_u:object_r:nagios_log_t
/usr/lib(64)?/netsaint/plugins(/.*)?		system_u:object_r:bin_t
/usr/lib(64)?/cgi-bin/netsaint/.+	--	system_u:object_r:nagios_cgi_exec_t

[-- Attachment #3: nagios.te --]
[-- Type: text/plain, Size: 2678 bytes --]

#DESC Net Saint / NAGIOS - network monitoring server
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: netsaint, nagios
# Depends: mta.te
#

#################################
#
# Rules for the nagios_t domain.
#
# nagios_exec_t is the type of the netsaint/nagios executable.
#
daemon_domain(nagios, `, privmail')

etcdir_domain(nagios)
typealias nagios_etc_t alias etc_nagios_t;

logdir_domain(nagios)
allow nagios_t nagios_log_t:fifo_file create_file_perms;
allow initrc_t nagios_log_t:dir rw_dir_perms;

tmp_domain(nagios)
allow system_mail_t nagios_tmp_t:file { getattr read };
# for open file handles
dontaudit system_mail_t nagios_etc_t:file read;
dontaudit system_mail_t nagios_log_t:fifo_file read;

# Use the network.
allow nagios_t self:fifo_file rw_file_perms;
allow nagios_t self:unix_stream_socket create_socket_perms;
allow nagios_t self:unix_dgram_socket create_socket_perms;

# Use capabilities
allow nagios_t self:capability { dac_override setgid setuid };
allow nagios_t self:process setpgid;

allow nagios_t { bin_t sbin_t }:dir search;
allow nagios_t bin_t:lnk_file read;
can_exec(nagios_t, { shell_exec_t bin_t })

allow nagios_t proc_t:file { getattr read };

can_network(nagios_t)

# read config files
allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
allow nagios_t etc_t:lnk_file read;

allow nagios_t etc_t:dir r_dir_perms;

# for ps
r_dir_file(nagios_t, domain)
allow nagios_t boot_t:dir search;
allow nagios_t system_map_t:file { getattr read };

# for who
allow nagios_t initrc_var_run_t:file { getattr read lock };

system_domain(nagios_cgi)
allow nagios_cgi_t device_t:dir search;
r_dir_file(nagios_cgi_t, nagios_etc_t)
allow nagios_cgi_t var_log_t:dir search;
r_dir_file(nagios_cgi_t, nagios_log_t)
allow nagios_cgi_t self:process { fork signal_perms };
allow nagios_cgi_t self:fifo_file rw_file_perms;
allow nagios_cgi_t bin_t:dir search;
can_exec(nagios_cgi_t, bin_t)
read_locale(nagios_cgi_t)

# for ps
allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read };
r_dir_file(nagios_cgi_t, { proc_t self nagios_t })
allow nagios_cgi_t boot_t:dir search;
allow nagios_cgi_t system_map_t:file { getattr read };
dontaudit nagios_cgi_t domain:dir getattr;
allow nagios_cgi_t self:unix_stream_socket create_socket_perms;

ifdef(`apache.te', `
r_dir_file(httpd_t, nagios_etc_t)
domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t)
allow nagios_cgi_t httpd_log_t:file append;
')

ifdef(`ping.te', `
domain_auto_trans(nagios_t, ping_exec_t, ping_t)
allow nagios_t ping_t:process { sigkill signal };
dontaudit ping_t nagios_etc_t:file read;
dontaudit ping_t nagios_log_t:fifo_file read;
')

Re: [patch] policy for nrpe

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

On Mon, 24 May 2004 07:44, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> The attached patch adds policy support for nrpe.
> (nrpe stands for Nagios Remote Plugin Execution and is a client called
> from inetd which performs checks on a client on behalf of a Nagios
> server)

I have made a couple of changes.  I have labeled the port as inetd_port_t, 
there seems to be no benefit in having a different type as only inetd is used 
for binding to the port.  I have added support for running directly from 
inetd without tcpd (my personal preference for such things is to run nagios 
on the internal network and use netfilter to control access).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: nrpe.te --]
[-- Type: text/plain, Size: 1066 bytes --]

# DESC nrpe - Nagios Remote Plugin Execution
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
# Depends: tcpd.te
# X-Debian-Packages: nagios-nrpe-server
#
# This policy assumes that nrpe is called from inetd

daemon_base_domain(nrpe)
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
')
domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)

allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };

allow nrpe_t self:fifo_file rw_file_perms;
# use sockets inherited from inetd
allow nrpe_t inetd_t:tcp_socket { ioctl read write };
allow nrpe_t devtty_t:chr_file { read write };

allow nrpe_t self:process setpgid;

etc_domain(nrpe)

# permissions for the scripts executed by nrpe
#
# call shell programs
can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
allow nrpe_t { bin_t sbin_t }:dir search;
# for /bin/sh
allow nrpe_t bin_t:lnk_file read;

# read /proc/meminfo, /proc/self/mounts and /etc/mtab
allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };

# you will have to add more permissions here, depending on the scripts you call!

Re: [patch] policy for nrpe

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 973 bytes --]

* Russell Coker <russell@coker.com.au> [2004-05-25 06:37]:
> On Mon, 24 May 2004 07:44, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > The attached patch adds policy support for nrpe.
> > (nrpe stands for Nagios Remote Plugin Execution and is a client called
> > from inetd which performs checks on a client on behalf of a Nagios
> > server)
> 
> I have made a couple of changes.  I have labeled the port as inetd_port_t, 
> there seems to be no benefit in having a different type as only inetd is used 
> for binding to the port.  I have added support for running directly from 
> inetd without tcpd (my personal preference for such things is to run nagios 
> on the internal network and use netfilter to control access).

This looks good to me. I have attached the modified patch.

Thanks,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: nrpe.patch --]
[-- Type: text/plain, Size: 2305 bytes --]

diff -urN orig/domains/program/nrpe.te mod/domains/program/nrpe.te
--- orig/domains/program/nrpe.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/nrpe.te	2004-05-25 10:59:25.558086504 +0200
@@ -0,0 +1,38 @@
+# DESC nrpe - Nagios Remote Plugin Execution
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+#
+# X-Debian-Packages: nagios-nrpe-server
+#
+# This policy assumes that nrpe is called from inetd
+
+daemon_base_domain(nrpe)
+ifdef(`tcpd.te', `
+domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
+')
+domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
+
+allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
+
+allow nrpe_t self:fifo_file rw_file_perms;
+# use sockets inherited from inetd
+allow nrpe_t inetd_t:tcp_socket { ioctl read write };
+allow nrpe_t devtty_t:chr_file { read write };
+
+allow nrpe_t self:process setpgid;
+
+etc_domain(nrpe)
+
+# permissions for the scripts executed by nrpe
+#
+# call shell programs
+can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
+allow nrpe_t { bin_t sbin_t }:dir search;
+# for /bin/sh
+allow nrpe_t bin_t:lnk_file read;
+
+# read /proc/meminfo, /proc/self/mounts and /etc/mtab
+allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
+
+# you will have to add more permissions here, depending on the scripts you call!
+
diff -urN orig/file_contexts/program/nrpe.fc mod/file_contexts/program/nrpe.fc
--- orig/file_contexts/program/nrpe.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/nrpe.fc	2004-05-25 10:59:34.238766840 +0200
@@ -0,0 +1,6 @@
+# nrpe
+/usr/bin/nrpe		--	system_u:object_r:nrpe_exec_t
+/etc/nagios/nrpe.cfg	--	system_u:object_r:nrpe_etc_t
+/usr/lib/netsaint/plugins(/.*)?	--	system_u:object_r:bin_t
+/usr/lib/nagios/plugins(/.*)?	--	system_u:object_r:bin_t
+
diff -urN orig/net_contexts mod/net_contexts
--- orig/net_contexts	2004-05-25 10:58:52.402126976 +0200
+++ mod/net_contexts	2004-05-25 10:43:06.000000000 +0200
@@ -142,6 +142,7 @@
 portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
 ')
 ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
+ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_port_t')
 ifdef(`use_x_ports', `
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]