add in selinux for nagios servers
This commit is contained in:
Stephen Smoogen
parent
42355920a9
commit
a792adea13
4 changed files with 44 additions and 0 deletions
BIN
roles/nagios_server/files/selinux/nagios_nrpe.mod
Normal file
BIN
roles/nagios_server/files/selinux/nagios_nrpe.mod
Normal file
Binary file not shown.
BIN
roles/nagios_server/files/selinux/nagios_nrpe.pp
Normal file
BIN
roles/nagios_server/files/selinux/nagios_nrpe.pp
Normal file
Binary file not shown.
32
roles/nagios_server/files/selinux/nagios_nrpe.te
Normal file
32
roles/nagios_server/files/selinux/nagios_nrpe.te
Normal file
|
|
@ -0,0 +1,32 @@
|
|||
module nagios_nrpe 1.0;
|
||||
|
||||
require {
|
||||
type nagios_t;
|
||||
type nagios_checkdisk_plugin_t;
|
||||
type nagios_unconfined_plugin_t;
|
||||
type nrpe_t;
|
||||
type system_mail_t;
|
||||
class process { noatsecure rlimitinh siginh };
|
||||
class tcp_socket { read write };
|
||||
}
|
||||
|
||||
#============= nagios_checkdisk_plugin_t ==============
|
||||
# src="nagios_checkdisk_plugin_t" tgt="nrpe_t" class="tcp_socket", perms="{ read write }"
|
||||
# comm="check_disk" exe="" path="socket:[270138836]"
|
||||
allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write };
|
||||
|
||||
#============= nagios_t ==============
|
||||
# src="nagios_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
|
||||
# comm="check_ping" exe="" path=""
|
||||
allow nagios_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };
|
||||
# src="nagios_t" tgt="system_mail_t" class="process", perms="{ noatsecure rlimitinh siginh }"
|
||||
# comm="sendmail" exe="" path=""
|
||||
allow nagios_t system_mail_t:process { noatsecure rlimitinh siginh };
|
||||
|
||||
#============= nrpe_t ==============
|
||||
# src="nrpe_t" tgt="nagios_checkdisk_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
|
||||
# comm="check_disk" exe="" path=""
|
||||
allow nrpe_t nagios_checkdisk_plugin_t:process { noatsecure rlimitinh siginh };
|
||||
# src="nrpe_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
|
||||
# comm="check_swap" exe="" path=""
|
||||
allow nrpe_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };
|
||||
|
|
@ -468,3 +468,15 @@
|
|||
when: selinux_module is changed
|
||||
tags:
|
||||
- nagios_server
|
||||
|
||||
- name: Copy over our custom selinux module
|
||||
copy: src=selinux/nagios_nrpe.pp dest=/usr/local/share/nagios-policy/nagios_nrpe.pp
|
||||
register: selinux_module2
|
||||
tags:
|
||||
- nagios_server
|
||||
|
||||
- name: Install our custom selinux module
|
||||
command: semodule -i /usr/local/share/nagios-policy/nagios_nrpe.pp
|
||||
when: selinux_module2 is changed
|
||||
tags:
|
||||
- nagios_server
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue