From 0f4d8b1a85a59cb813c3bccaed7eba4960614525 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Thu, 20 Jul 2017 17:12:18 +0100 Subject: [PATCH 1/3] trying to work my way again through selinux --- manifests/selinux/config.pp | 22 +++++++++++++++++----- manifests/server/access_rules.pp | 6 ------ templates/nagios/htpasswd_head.erb | 0 3 files changed, 17 insertions(+), 11 deletions(-) delete mode 100644 templates/nagios/htpasswd_head.erb diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp index 39336b1..d2f434a 100644 --- a/manifests/selinux/config.pp +++ b/manifests/selinux/config.pp @@ -27,11 +27,22 @@ class cd_nagios::selinux::config ( if $ng_use_selinux_tools == true { - # sealert tac-cgi + # it appears that selinux hehaves differently accross different nodes, + # so all we can do for now is to create a list of the AVC alerts and come up + # with a solution on that later. + + exec { 'create_avc_list': + command => 'sealert -a /var/log/audit/audit.log > avc_alerts', + cwd => $ng_user_home, + path => ['/usr/bin'], + creates -> 'avc_alerts', + } + + # sealert tac-cgi exec { 'create_policy_taccgi': command => template($ng_taccgi_erb), path => ['/usr/bin','/usr/sbin'], - cwd => '/tmp', + cwd => $ng_user_home, creates => '/tmp/my-taccgi.pp', notify => Exec['semodule_taccgi'], } @@ -39,7 +50,7 @@ class cd_nagios::selinux::config ( exec { 'semodule_taccgi': command => 'semodule -i my-taccgi.pp', path => ['/usr/bin','/usr/sbin'], - cwd => '/tmp', + cwd => $ng_user_home, require => Exec['create_policy_taccgi'], refreshonly => true, } @@ -49,7 +60,7 @@ class cd_nagios::selinux::config ( exec { 'create_policy_statuscgi': command => template($ng_statcgi_erb), path => ['/usr/bin','/usr/sbin'], - cwd => '/tmp', + cwd => $ng_user_home, creates => '/tmp/my-statuscgi.pp', notify => Exec['semodule_taccgi'], } @@ -57,9 +68,10 @@ class cd_nagios::selinux::config ( exec { 'semodule_statuscgi': command => 'semodule -i my-statuscgi.pp', path => ['/usr/bin','/usr/sbin'], - cwd => '/tmp', + cwd => $ng_user_home, require => Exec['create_policy_statuscgi'], refreshonly => true, } + } } diff --git a/manifests/server/access_rules.pp b/manifests/server/access_rules.pp index 07668f4..0f7bb98 100644 --- a/manifests/server/access_rules.pp +++ b/manifests/server/access_rules.pp @@ -45,11 +45,5 @@ class cd_nagios::server::access_rules ( seluser => system_u, notify => Service[$ng_service], } - - concat::fragment { 'create_header': - target => $ng_htpasswd_file, - content => template($ng_htpasswd_head), - notify => Service[$ng_service], - } } } diff --git a/templates/nagios/htpasswd_head.erb b/templates/nagios/htpasswd_head.erb deleted file mode 100644 index e69de29..0000000 From a33a855948f5050dd2e6ef0404659862ba82225c Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Thu, 20 Jul 2017 17:14:42 +0100 Subject: [PATCH 2/3] trying to work my way again through selinux --- manifests/selinux/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp index d2f434a..2cf5f1c 100644 --- a/manifests/selinux/config.pp +++ b/manifests/selinux/config.pp @@ -35,7 +35,7 @@ class cd_nagios::selinux::config ( command => 'sealert -a /var/log/audit/audit.log > avc_alerts', cwd => $ng_user_home, path => ['/usr/bin'], - creates -> 'avc_alerts', + creates => "${ng_user_home}/avc_alerts", } # sealert tac-cgi From 33ed2fc013f9abd2509ff74eb1d131617d54b5ee Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Thu, 20 Jul 2017 18:15:02 +0200 Subject: [PATCH 3/3] recommit for updates in build 10 --- CHANGELOG.md | 25 ++++++++++++ REPOSTRUCTURE.md | 3 +- doc/_index.html | 2 +- doc/file.README.html | 2 +- doc/index.html | 2 +- doc/puppet_classes/cd_nagios.html | 2 +- ...cd_nagios_3A_3Afirewall_3A_3Aiptables.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Aconfig.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Adirs.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Ainstall.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Auser.html | 2 +- doc/puppet_classes/cd_nagios_3A_3Aparams.html | 2 +- .../cd_nagios_3A_3Aselinux_3A_3Aconfig.html | 38 +++++++++++++++---- ..._nagios_3A_3Aserver_3A_3Aaccess_rules.html | 16 +------- .../cd_nagios_3A_3Aserver_3A_3Afiles.html | 2 +- .../cd_nagios_3A_3Aserver_3A_3Aservice.html | 2 +- .../cd_nagios_3A_3Aserver_3A_3Aaccess.html | 2 +- doc/top-level-namespace.html | 2 +- tests/UTF_Files | 1 - 19 files changed, 73 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd3a9a9..ce06939 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,31 @@ Changelog of Git Changelog.

No issue

+016ec1e6dbe77ac Jenkins Server 2017-07-20 15:17:24 +

+

recommit for updates in build 8

+ +

+508e672c317a2b8 Arne Teuke 2017-07-20 15:16:51 +

+

added statuscgi_pol to template

+ +

+8d204947db73672 Arne Teuke 2017-07-20 15:15:51 +

+

added statuscgi_pol

+ +

+aefb0a83a611a13 Arne Teuke 2017-07-20 14:55:30 +

+

undoing array

+ +

+00267d122ba29c2 Arne Teuke 2017-07-20 14:54:56 +

+

testing array

+ +

84a42a16a33cd80 Jenkins Server 2017-07-20 14:46:15

recommit for updates in build 4

diff --git a/REPOSTRUCTURE.md b/REPOSTRUCTURE.md index a608adb..4b114a2 100644 --- a/REPOSTRUCTURE.md +++ b/REPOSTRUCTURE.md @@ -51,7 +51,6 @@ |-- templates | |-- nagios | | |-- cgi_cfg.erb -| | |-- htpasswd_head.erb | | `-- htpasswd_rule.erb | `-- selinux | |-- statuscgi.erb @@ -66,4 +65,4 @@ |-- README.md `-- REPOSTRUCTURE.md -15 directories, 51 files +15 directories, 50 files diff --git a/doc/_index.html b/doc/_index.html index ff3df04..5acb51f 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -176,7 +176,7 @@ diff --git a/doc/file.README.html b/doc/file.README.html index ae7462f..850c8a2 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -297,7 +297,7 @@ environments.

diff --git a/doc/index.html b/doc/index.html index a5c3e26..4ae18bc 100644 --- a/doc/index.html +++ b/doc/index.html @@ -297,7 +297,7 @@ environments.

diff --git a/doc/puppet_classes/cd_nagios.html b/doc/puppet_classes/cd_nagios.html index af68945..97d2155 100644 --- a/doc/puppet_classes/cd_nagios.html +++ b/doc/puppet_classes/cd_nagios.html @@ -139,7 +139,7 @@ class cd_nagios { diff --git a/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html b/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html index c3a3efd..187a164 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html +++ b/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html @@ -207,7 +207,7 @@ class cd_nagios::firewall::iptables ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html index 016771f..a6de126 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html @@ -187,7 +187,7 @@ class cd_nagios::main::config ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html index df389e2..f3d6abf 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html @@ -468,7 +468,7 @@ class cd_nagios::main::dirs ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html index d1ce1b6..52ba7ec 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html @@ -235,7 +235,7 @@ class cd_nagios::main::install ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html index 272c0e7..9e0ba14 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html @@ -200,7 +200,7 @@ class cd_nagios::main::user ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aparams.html b/doc/puppet_classes/cd_nagios_3A_3Aparams.html index 5782712..ebb6a78 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aparams.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aparams.html @@ -2137,7 +2137,7 @@ $ng_statcgi_erb = 'cd_nagios/selinux/statuscgi.erb' diff --git a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html index a49032e..3b7a85d 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html @@ -171,7 +171,19 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

62 63 64 -65 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 +77 
# File 'manifests/selinux/config.pp', line 24
@@ -182,11 +194,22 @@ class cd_nagios::selinux::config (
 
   if $ng_use_selinux_tools == true {
 
-    # sealert tac-cgi
+  # it appears that selinux hehaves differently accross different nodes,
+  # so all we can do for now is to create a list of the AVC alerts and come up
+  # with a solution on that later.
+
+    exec { 'create_avc_list':
+      command     =>  'sealert -a /var/log/audit/audit.log > avc_alerts',
+      cwd         =>  $ng_user_home,
+      path        =>  ['/usr/bin'],
+      creates     =>  "${ng_user_home}/avc_alerts",
+    }
+
+   # sealert tac-cgi
     exec { 'create_policy_taccgi':
       command     =>  template($ng_taccgi_erb),
       path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
       creates     =>  '/tmp/my-taccgi.pp',
       notify      =>  Exec['semodule_taccgi'],
     }
@@ -194,7 +217,7 @@ class cd_nagios::selinux::config (
     exec { 'semodule_taccgi':
       command     =>  'semodule -i my-taccgi.pp',
       path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
       require     =>  Exec['create_policy_taccgi'],
       refreshonly => true,
     }
@@ -204,7 +227,7 @@ class cd_nagios::selinux::config (
     exec { 'create_policy_statuscgi':
       command     =>  template($ng_statcgi_erb),
       path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
       creates     =>  '/tmp/my-statuscgi.pp',
       notify      =>  Exec['semodule_taccgi'],
     }
@@ -212,10 +235,11 @@ class cd_nagios::selinux::config (
     exec { 'semodule_statuscgi':
       command     =>  'semodule -i my-statuscgi.pp',
       path        =>  ['/usr/bin','/usr/sbin'],
-      cwd         =>  '/tmp',
+      cwd         =>  $ng_user_home,
       require     =>  Exec['create_policy_statuscgi'],
       refreshonly => true,
     }
+
   }
 }
@@ -225,7 +249,7 @@ class cd_nagios::selinux::config ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html index df68ae4..abd7b1e 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html @@ -161,13 +161,7 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

46 47 48 -49 -50 -51 -52 -53 -54 -55 +49 
# File 'manifests/server/access_rules.pp', line 28
@@ -192,12 +186,6 @@ class cd_nagios::server::access_rules (
       seluser   =>  system_u,
       notify    =>  Service[$ng_service],
     }
-
-    concat::fragment { 'create_header':
-      target    =>  $ng_htpasswd_file,
-      content   =>  template($ng_htpasswd_head),
-      notify    =>  Service[$ng_service],
-    }
   }
 }
@@ -207,7 +195,7 @@ class cd_nagios::server::access_rules ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html index 58d11ef..f8856b5 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html @@ -196,7 +196,7 @@ class cd_nagios::server::files ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html index 543dae7..07efede 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html @@ -174,7 +174,7 @@ class cd_nagios::server::service ( diff --git a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html index d95895c..57ef2c7 100644 --- a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html +++ b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html @@ -209,7 +209,7 @@ $ng_service = $::cd_nagios::params::ng_service diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html index 257cc45..67249af 100644 --- a/doc/top-level-namespace.html +++ b/doc/top-level-namespace.html @@ -90,7 +90,7 @@ diff --git a/tests/UTF_Files b/tests/UTF_Files index 7ac547d..a138597 100644 --- a/tests/UTF_Files +++ b/tests/UTF_Files @@ -4,4 +4,3 @@ ./.yardoc/objects/root.dat: data ./doc/css/style.css: HTML document, UTF-8 Unicode text, with very long lines ./doc/js/jquery.js: HTML document, UTF-8 Unicode text, with very long lines -./templates/nagios/htpasswd_head.erb: empty