adds file content for nrpe.te

manifests/main/exec.pp

@@ -0,0 +1,29 @@
+## cd_nrpe::main::exec.pp
+# Module name: cd_nrpe
+# Author: Arne Teuke (arne_teuke@ConfDroid.com)
+# # License:
+#    This file is part of cd_nrpe.
+#
+#    cd_nrpe is used for providing automatic configuration of NRPE.
+#    Copyright (C) 2016  ConfDroid (copyright@ConfDroid.com)
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# @summary  Class manages execs for cde_nrpe.
+##############################################################################
+class cd_nrpe::main::exec (
+
+) inherits cd_nrpe::params {
+
+  # allow sudo
+
+}

manifests/main/files.pp

@@ -72,5 +72,18 @@ class cd_nrpe::main::files (
       seluser   =>  system_u,
       content   =>  template($ne_sudo_rule_erb),
     }
+
+    # file for sudo  selinux policy
+    file { $ne_nrpe_te_file:
+      ensure    =>  file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0440',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  nrpe_etc_t,
+      seluser   =>  system_u,
+      content   =>  template($ne_nrpe_te_erb),
+    }
   }
 }

manifests/params.pp

@@ -176,6 +176,8 @@ $ne_cmd_head_erb            = 'cd_nrpe/cmd_head.erb'
 $ne_cmd_rule_erb            = 'cd_nrpe/cmd_rule.erb'
 $ne_sudo_file               = '/etc/sudoers.d/nagios_sudo'
 $ne_sudo_rule_erb           = 'cd_nrpe/sudo_rule.erb'
+$ne_nrpe_te_file            = '/etc/nrpe/nrpe.te'
+$ne_nrpe_te_erb             = 'cd_nrpe/nrpe.te.erb'
 
 # includes must be last
 

templates/nrpe.te.erb

@@ -0,0 +1,39 @@
+module nrpe 1.0;
+
+require {
+        type nrpe_t;
+        type proc_net_t;
+        type initrc_var_run_t;
+        type system_dbusd_t;
+        type user_home_t;
+        type user_home_dir_t;
+        type admin_home_t;
+        type systemd_logind_t;
+        type unconfined_t;
+        class capability { dac_override dac_read_search };
+        class process execmem;
+        class file { read open write lock };
+        class unix_stream_socket connectto;
+        class dir {open read search};
+        class sock_file { getattr write };
+        class dbus send_msg;
+        class unix_stream_socket connectto;
+}
+
+#============= nrpe_t ==============
+allow nrpe_t user_home_t:dir search;
+allow nrpe_t user_home_dir_t:dir search;
+allow nrpe_t system_dbusd_t:unix_stream_socket connectto;
+allow nrpe_t initrc_var_run_t:file read;
+allow nrpe_t self:capability { dac_override dac_read_search };
+allow nrpe_t self:process execmem;
+allow nrpe_t admin_home_t:file { read open };
+allow nrpe_t admin_home_t:sock_file { getattr write };
+allow nrpe_t initrc_var_run_t:file open;
+allow nrpe_t system_dbusd_t:dbus send_msg;
+allow nrpe_t initrc_var_run_t:file lock;
+allow nrpe_t systemd_logind_t:dbus send_msg;
+allow nrpe_t user_home_t:file { open read };
+allow nrpe_t user_home_t:sock_file { getattr write };
+allow systemd_logind_t nrpe_t:dbus send_msg;
+allow nrpe_t unconfined_t:unix_stream_socket connectto;