From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 23 Oct 2009 09:05:16 -0400 Subject: [refpolicy] Fwd: nagios policy patches In-Reply-To: <4AE19AA9.6040706@redhat.com> References: <4AE19AA9.6040706@redhat.com> Message-ID: <1256303116.28212.38.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2009-10-23 at 07:59 -0400, Daniel J Walsh wrote: > Here is some changes made to nagios by some one within Red Hat, based > on RHEL5. It needs some cleanup, but I wanted to bring up for > discussion whether we want this number of booleans. Since I never use > nagios, I wanted to know if this is the way we should go. I don't have a problem with a lot of Booleans, as long as they're reasonable. I don't have an objective guide as to when they become unreasonable, but we don't want to have conditionals that have little security value (i.e. it doesn't really hurt if its allowed, but not needed). > +gen_tunable(nagios_can_check_mailq, false) > +tunable_policy(`nagios_can_check_mailq',` > + # allow nagios to check mailq (needs also DAC rights to execute mailq) > + allow nagios_plugin_t ld_so_t:file execute; > + allow nagios_plugin_t self:capability { setuid setgid dac_override }; > + corecmd_read_bin_symlinks(nagios_plugin_t) > + corecmd_search_bin(nagios_plugin_t) > + corecmd_search_sbin(nagios_plugin_t) > + dev_read_urand(nagios_plugin_t) > + files_search_spool(nagios_plugin_t) > + kernel_read_kernel_sysctls(nagios_plugin_t) > + mta_getattr_spool(nagios_plugin_t) > + mta_sendmail_exec(nagios_plugin_t) > +') This should probably be optional due to the last two calls. > +#Booleans for network checks > + > +gen_tunable(nagios_can_check_network, false) > +tunable_policy(`nagios_can_check_network',` > + # allow nagios to execute network checks > + allow nagios_plugin_t self:udp_socket create_socket_perms; > + allow nagios_plugin_t self:tcp_socket create_stream_socket_perms; > + corenet_sendrecv_unlabeled_packets(nagios_plugin_t) > + sysnet_read_config(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_pop3, false) > +tunable_policy(`nagios_can_check_pop3',` > + # allow nagios to check pop3 > + corenet_tcp_connect_pop_port(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_ssh, false) > +tunable_policy(`nagios_can_check_ssh',` > + # allow nagios to check ssh > + corenet_tcp_connect_ssh_port(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_http, false) > +tunable_policy(`nagios_can_check_http',` > + # allow nagios to check http > + corenet_tcp_connect_http_port(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_ftp, false) > +tunable_policy(`nagios_can_check_ftp',` > + # allow nagios to check ftp > + corenet_tcp_connect_ftp_port(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_ldap, false) > +tunable_policy(`nagios_can_check_ldap',` > + # allow nagios to check ldap > + corenet_tcp_connect_ldap_port(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_nrpe, false) > +tunable_policy(`nagios_can_check_nrpe',` > + # allow nagios to check nrpe > + corenet_tcp_connect_inetd_child_port(nagios_plugin_t) > + dev_read_rand(nagios_plugin_t) > +') > + > +gen_tunable(nagios_can_check_dns, false) > +tunable_policy(`nagios_can_check_dns',` > + # allow nagios to check dns (parsing /usr/bin/nslookup -sil) > + corecmd_search_bin(nagios_plugin_t) > + corecmd_exec_bin(nagios_plugin_t) > + allow nagios_plugin_t ld_so_t:file execute; > + corenet_udp_bind_inaddr_any_node(nagios_plugin_t) > + allow nagios_plugin_t self:process { signal sigkill }; > +') > + > +gen_tunable(nagios_can_check_dhcp, false) > +tunable_policy(`nagios_can_check_dhcp',` > + # allow nagios to check dhcp (also needs setuid) > + allow nagios_plugin_t self:capability { net_raw net_bind_service }; > + allow nagios_plugin_t self:tcp_socket create; > + corenet_udp_bind_dhcpc_port(nagios_plugin_t) > + corenet_udp_bind_inaddr_any_node(nagios_plugin_t) > +') I'd probably merge all of these into nagios_can_check_network. > +gen_tunable(nagios_can_check_mysql, false) > +tunable_policy(`nagios_can_check_mysql',` > + # allow nagios to check mysql > + mysql_read_config(nagios_plugin_t) > + mysql_search_db(nagios_plugin_t) > + mysql_stream_connect(nagios_plugin_t) > +') This should probably be optional too. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150