[refpolicy] Fwd: nagios policy patches

Christopher J. PeBenito cpebenito at tresys.com
Fri Oct 23 08:05:16 CDT 2009


On Fri, 2009-10-23 at 07:59 -0400, Daniel J Walsh wrote:
> Here is some changes made to nagios by some one within Red Hat, based
> on RHEL5.  It needs some cleanup, but I wanted to bring up for
> discussion whether we want this number of booleans.  Since I never use
> nagios, I wanted to know if this is the way we should go.

I don't have a problem with a lot of Booleans, as long as they're
reasonable.  I don't have an objective guide as to when they become
unreasonable, but we don't want to have conditionals that have little
security value (i.e. it doesn't really hurt if its allowed, but not
needed).

> +gen_tunable(nagios_can_check_mailq, false)
> +tunable_policy(`nagios_can_check_mailq',`
> +       # allow nagios to check mailq (needs also DAC rights to execute mailq)
> +       allow nagios_plugin_t ld_so_t:file execute;
> +       allow nagios_plugin_t self:capability { setuid setgid dac_override };
> +       corecmd_read_bin_symlinks(nagios_plugin_t)
> +       corecmd_search_bin(nagios_plugin_t)
> +       corecmd_search_sbin(nagios_plugin_t)
> +       dev_read_urand(nagios_plugin_t)
> +       files_search_spool(nagios_plugin_t)
> +       kernel_read_kernel_sysctls(nagios_plugin_t)
> +       mta_getattr_spool(nagios_plugin_t)
> +       mta_sendmail_exec(nagios_plugin_t)
> +')

This should probably be optional due to the last two calls.


> +#Booleans for network checks
> +
> +gen_tunable(nagios_can_check_network, false)
> +tunable_policy(`nagios_can_check_network',`
> +       # allow nagios to execute network checks
> +       allow nagios_plugin_t self:udp_socket create_socket_perms;
> +       allow nagios_plugin_t self:tcp_socket create_stream_socket_perms;
> +       corenet_sendrecv_unlabeled_packets(nagios_plugin_t)
> +       sysnet_read_config(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_pop3, false)
> +tunable_policy(`nagios_can_check_pop3',`
> +       # allow nagios to check pop3
> +       corenet_tcp_connect_pop_port(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_ssh, false)
> +tunable_policy(`nagios_can_check_ssh',`
> +       # allow nagios to check ssh
> +       corenet_tcp_connect_ssh_port(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_http, false)
> +tunable_policy(`nagios_can_check_http',`
> +       # allow nagios to check http
> +       corenet_tcp_connect_http_port(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_ftp, false)
> +tunable_policy(`nagios_can_check_ftp',`
> +       # allow nagios to check ftp
> +       corenet_tcp_connect_ftp_port(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_ldap, false)
> +tunable_policy(`nagios_can_check_ldap',`
> +       # allow nagios to check ldap
> +       corenet_tcp_connect_ldap_port(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_nrpe, false)
> +tunable_policy(`nagios_can_check_nrpe',`
> +       # allow nagios to check nrpe 
> +       corenet_tcp_connect_inetd_child_port(nagios_plugin_t)
> +       dev_read_rand(nagios_plugin_t)
> +')
> +
> +gen_tunable(nagios_can_check_dns, false)
> +tunable_policy(`nagios_can_check_dns',`
> +       # allow nagios to check dns (parsing /usr/bin/nslookup -sil)
> +       corecmd_search_bin(nagios_plugin_t)
> +       corecmd_exec_bin(nagios_plugin_t)
> +       allow nagios_plugin_t ld_so_t:file execute;
> +       corenet_udp_bind_inaddr_any_node(nagios_plugin_t)
> +       allow nagios_plugin_t self:process { signal sigkill };
> +')
> +
> +gen_tunable(nagios_can_check_dhcp, false)
> +tunable_policy(`nagios_can_check_dhcp',`
> +       # allow nagios to check dhcp (also needs setuid)
> +       allow nagios_plugin_t self:capability { net_raw net_bind_service };
> +       allow nagios_plugin_t self:tcp_socket create;
> +       corenet_udp_bind_dhcpc_port(nagios_plugin_t)
> +       corenet_udp_bind_inaddr_any_node(nagios_plugin_t)
> +')

I'd probably merge all of these into nagios_can_check_network.

> +gen_tunable(nagios_can_check_mysql, false)
> +tunable_policy(`nagios_can_check_mysql',`
> +       # allow nagios to check mysql
> +       mysql_read_config(nagios_plugin_t)
> +       mysql_search_db(nagios_plugin_t)
> +       mysql_stream_connect(nagios_plugin_t)
> +')

This should probably be optional too.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list