From 018087f0ac24da9536a52bb583cdec5e0742aca8 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Tue, 23 Apr 2019 19:53:49 +0200 Subject: [PATCH] adds file content for nrpe.te --- manifests/main/exec.pp | 29 +++++++++++++++++++++++++++++ manifests/main/files.pp | 13 +++++++++++++ manifests/params.pp | 2 ++ templates/nrpe.te.erb | 39 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 83 insertions(+) create mode 100644 manifests/main/exec.pp create mode 100644 templates/nrpe.te.erb diff --git a/manifests/main/exec.pp b/manifests/main/exec.pp new file mode 100644 index 0000000..8d89c70 --- /dev/null +++ b/manifests/main/exec.pp @@ -0,0 +1,29 @@ +## cd_nrpe::main::exec.pp +# Module name: cd_nrpe +# Author: Arne Teuke (arne_teuke@ConfDroid.com) +# # License: +# This file is part of cd_nrpe. +# +# cd_nrpe is used for providing automatic configuration of NRPE. +# Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# @summary Class manages execs for cde_nrpe. +############################################################################## +class cd_nrpe::main::exec ( + +) inherits cd_nrpe::params { + + # allow sudo + +} diff --git a/manifests/main/files.pp b/manifests/main/files.pp index 89f3d36..13fb269 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -72,5 +72,18 @@ class cd_nrpe::main::files ( seluser => system_u, content => template($ne_sudo_rule_erb), } + + # file for sudo selinux policy + file { $ne_nrpe_te_file: + ensure => file, + owner => 'root', + group => 'root', + mode => '0440', + selrange => s0, + selrole => object_r, + seltype => nrpe_etc_t, + seluser => system_u, + content => template($ne_nrpe_te_erb), + } } } diff --git a/manifests/params.pp b/manifests/params.pp index c768344..daddc5b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -176,6 +176,8 @@ $ne_cmd_head_erb = 'cd_nrpe/cmd_head.erb' $ne_cmd_rule_erb = 'cd_nrpe/cmd_rule.erb' $ne_sudo_file = '/etc/sudoers.d/nagios_sudo' $ne_sudo_rule_erb = 'cd_nrpe/sudo_rule.erb' +$ne_nrpe_te_file = '/etc/nrpe/nrpe.te' +$ne_nrpe_te_erb = 'cd_nrpe/nrpe.te.erb' # includes must be last diff --git a/templates/nrpe.te.erb b/templates/nrpe.te.erb new file mode 100644 index 0000000..444a23b --- /dev/null +++ b/templates/nrpe.te.erb @@ -0,0 +1,39 @@ +module nrpe 1.0; + +require { + type nrpe_t; + type proc_net_t; + type initrc_var_run_t; + type system_dbusd_t; + type user_home_t; + type user_home_dir_t; + type admin_home_t; + type systemd_logind_t; + type unconfined_t; + class capability { dac_override dac_read_search }; + class process execmem; + class file { read open write lock }; + class unix_stream_socket connectto; + class dir {open read search}; + class sock_file { getattr write }; + class dbus send_msg; + class unix_stream_socket connectto; +} + +#============= nrpe_t ============== +allow nrpe_t user_home_t:dir search; +allow nrpe_t user_home_dir_t:dir search; +allow nrpe_t system_dbusd_t:unix_stream_socket connectto; +allow nrpe_t initrc_var_run_t:file read; +allow nrpe_t self:capability { dac_override dac_read_search }; +allow nrpe_t self:process execmem; +allow nrpe_t admin_home_t:file { read open }; +allow nrpe_t admin_home_t:sock_file { getattr write }; +allow nrpe_t initrc_var_run_t:file open; +allow nrpe_t system_dbusd_t:dbus send_msg; +allow nrpe_t initrc_var_run_t:file lock; +allow nrpe_t systemd_logind_t:dbus send_msg; +allow nrpe_t user_home_t:file { open read }; +allow nrpe_t user_home_t:sock_file { getattr write }; +allow systemd_logind_t nrpe_t:dbus send_msg; +allow nrpe_t unconfined_t:unix_stream_socket connectto;