From cf807acd5606c020e42a8176b4a238f787da3e89 Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Sun, 30 Jul 2017 15:40:07 +0100
Subject: [PATCH] added selinux policy for checknrpe

---
 manifests/params.pp             |  5 ++---
 manifests/selinux/config.pp     | 21 +++++++++++++++++++++
 templates/selinux/checknrpe.erb |  1 +
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 templates/selinux/checknrpe.erb

diff --git a/manifests/params.pp b/manifests/params.pp
index 2492241..3b84230 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -703,7 +703,7 @@ $ng_u_comment               = 'Nagios service user',
 $ng_u_uid                   = '1004',
 $ng_user_home               = '/var/spool/nagios',
 $ng_u_groups                = undef,
-$ng_user_shell              = '/sbin/nologin',
+$ng_user_shell              = '/bin/bash',
 
 # cgi settings
 $ng_context_help            = '1',
@@ -937,6 +937,7 @@ $ng_htpasswd_head           = 'cd_nagios/nagios/htpasswd_head.erb'
 $ng_htpasswd_rule           = 'cd_nagios/nagios/htpasswd_rule.erb'
 $ng_taccgi_erb              = 'cd_nagios/selinux/taccgi.erb'
 $ng_statcgi_erb             = 'cd_nagios/selinux/statuscgi.erb'
+$ng_checknrpe_erb           = 'cd_nagios/selinux/checknrpe.erb'
 $ng_nagios_conf             = '/etc/httpd/conf.d/nagios.conf'
 $ng_nagios_conf_erb         = 'cd_nagios/httpd/nagios_conf.erb'
 $ng_welcome_conf            = '/etc/httpd/conf.d/welcome.conf'
@@ -992,8 +993,6 @@ $ng_cntctgrps_rule_erb      = 'cd_nagios/nagios/contactgroups_cfg_rule.erb'
 $ng_target_command          = "${ng_conf_d_dir}/nagios_commands_base.cfg"
 $ng_nagios_service_cmd      = 'check_nagios!/var/log/nagios/status.dat!5!/usr/sbin/nagios'
 
-# nrpe
-$ng_nrpe_file               = "${ng_main_dir}/nrpe.cfg"
 
 # includes must be last
 
diff --git a/manifests/selinux/config.pp b/manifests/selinux/config.pp
index ffa7381..c69992f 100644
--- a/manifests/selinux/config.pp
+++ b/manifests/selinux/config.pp
@@ -73,5 +73,26 @@ class cd_nagios::selinux::config (
       refreshonly =>  true,
       notify      =>  Service[$ng_service],
     }
+
+    # sealert check_nrpe
+
+    exec { 'create_policy_checknrpe':
+      command     =>  template($ng_checknrpe_erb),
+      path        =>  ['/usr/bin','/usr/sbin'],
+      cwd         =>  $ng_user_home,
+      creates     =>  "${ng_user_home}/my-checknrpe.pp",
+      notify      =>  Exec['semodule_checknrpe'],
+    }
+
+    exec { 'semodule_checknrpe':
+      command     =>  'semodule -i my-checknrpe.pp',
+      path        =>  ['/usr/bin','/usr/sbin'],
+      cwd         =>  $ng_user_home,
+      require     =>  Exec['create_policy_checknrpe'],
+      refreshonly =>  true,
+      notify      =>  Service[$ng_service],
+    }
+
+
   }
 }
diff --git a/templates/selinux/checknrpe.erb b/templates/selinux/checknrpe.erb
new file mode 100644
index 0000000..9c0670f
--- /dev/null
+++ b/templates/selinux/checknrpe.erb
@@ -0,0 +1 @@
+ausearch -c 'check_nrpe' --raw | audit2allow -M my-checknrpe