From c150bcd51d4b551a21c836535ae560aaf8fe969f Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Sun, 29 Apr 2018 13:44:55 +0200
Subject: [PATCH] adds grep c[Fheck

---
 manifests/params.pp         |  4 +---
 manifests/selinux/config.pp | 19 +++++++++++++++++++
 templates/selinux/grep.erb  |  1 +
 3 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 templates/selinux/grep.erb

diff --git a/manifests/params.pp b/manifests/params.pp
index 35845d7..bd78854 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -906,9 +906,6 @@ $ng_loadctl_options         = 'jobs_max=100;backoff_limit=10;rampup_change=5',
 # single nagios checks
 $ng_enable_swap_check       = true,
 
-# resource.cfg
-$ng_user_arg1               = '/usr/lib64/nagios/plugins',
-$ng_user_arg2               = '/usr/lib64/nagios/plugins/eventhandlers',
 
 ) {
 
@@ -970,6 +967,7 @@ $ng_ssl_vhost_erb           = 'cd_nagios/httpd/nagios_ssl_vhost.erb'
 $ng_nagios_cfg_file         = "${ng_main_dir}/nagios.cfg"
 $ng_nagios_cfg_erb          = 'cd_nagios/nagios/nagios_cfg.erb'
 $ng_resource_erb            = 'cd_nagios/nagios/resource_cfg.erb'
+$ng_grep_erb                = 'cd_nagios/selinux/grep.erb'
 
 # certbot
 $ng_certbot_main_dir        = '/etc/letsencrypt'
diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp
index af2c241..a8a5649 100644
--- a/manifests/selinux/config.pp
+++ b/manifests/selinux/config.pp
@@ -129,5 +129,24 @@ class cd_nagios::selinux::config (
       refreshonly =>  true,
       notify      =>  Service[$ng_service],
     }
+
+    # sealert grep
+
+    exec { 'create_policy_grep':
+      command     =>  template($ng_grep_erb),
+      path        =>  ['/usr/bin','/usr/sbin'],
+      cwd         =>  $ng_user_home,
+      creates     =>  "${ng_user_home}/my-grep.pp",
+      notify      =>  Exec['semodule_statusdat'],
+    }
+
+    exec { 'semodule_grep':
+      command     =>  "semodule -i ${ng_user_home}/my-grep.pp",
+      path        =>  ['/usr/bin','/usr/sbin'],
+      cwd         =>  $ng_user_home,
+      require     =>  Exec['create_policy_grep'],
+      refreshonly =>  true,
+      notify      =>  Service[$ng_service],
+    }
   }
 }
diff --git a/templates/selinux/grep.erb b/templates/selinux/grep.erb
new file mode 100644
index 0000000..22117a4
--- /dev/null
+++ b/templates/selinux/grep.erb
@@ -0,0 +1 @@
+ausearch -c 'grep' --raw | audit2allow -M my-grep