From d3ea8120ee84e7955c0b683033796ebc0d40f52a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 12 Jan 2018 21:43:40 +0000
Subject: [PATCH] Add some more selinux policy to fi-nrpe

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/nagios_client/files/selinux/fi-nrpe.pp | Bin 946 -> 7286 bytes
 roles/nagios_client/files/selinux/fi-nrpe.te |   8 ++++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.pp b/roles/nagios_client/files/selinux/fi-nrpe.pp
index 1243b0e73e8fd65fdfc7d2b753a9589501b74324..0e71b44babd54e1c5e8f5e83d30653b2ff8e4e4b 100644
GIT binary patch
literal 7286
zcmc&&OOG4J5gsSb1I!@^koa5xFI<44t;8ptVtXw_h_w>3mM=yyXwKA-o$cwKRQD`N
zKz|`feqjEHPBOmk8FI+wuDB~jDS+f~y56s@?tj01{pOP_%YK$++3&L~`|qb&_OG|E
z-~2YqvdeGjJ8j!FJ$Gem7%0EXvJB|I&Jz48%d$#8veNL+vn+c&d;I5aWeA|a=hN;b
zo`H@JpwcFiLqe?@FvSwDxo899FDMoqR0z^Dg9>;CxcNW02)PV}-}c<Ya2<-_^Na4c
zmjM{!&9%+LXPw~NkgQs0=X1aDf$O|6?E+MP=$!lxDpl6nZi#-=dE!<gX*h?Q^3a=g
z8}uyj+XMXF|A(3Q^#A+cq4|JAygsIfc%UDCj?qGX|9%LEGWu-0O~x;W#2pNA5BVLl
z?GOhA0665+!)@=u`;Zqh7;qcShkE~^05%}5sLNpt@r+pX<<{p<kB{<+B{C#Jxg0Nv
zAr{J`!`d%_Ari`Akn+Q&WALB1uiuPEV>;KuMR2mAMuos)Jxxk2XCo}WRHAAQEdI%8
zOpj+&x>{*VVbkzvOn;nF;cQUavP7!H>8xM>(~Qb3`$RLk3n21uyl9OQf_n!l;qQmi
zDY8C6ol#Wia#PQp(FGZ8uLc?!dzF8Dt>B``D|=>D%_Y6m4g1fZK70CNpjf3V_kY*S
zyW)z2AE<>lA6+fD>uckRD=PU~7fjZb!?c>4kFQfot8bP{R1sKi(X3d?NB36J>?tY_
z<&g(b*6X01-NrF`6lovVa#faj*Ec4qH%v<{Af8%Y#oxjx?<effrayuXiTig{auT*<
z^<XwprPk_o-<?wK4OND)6Ja!_(U>mVrg0LeR)siEl@szvXID|`?-b2qPs*0mu+-Xn
z?QHVT_e<?lm+?#2nv$F~8(OMs-lIOCg@j(<BMM92jK)+bo2Z2=7PiGci=@EkPKG+n
zl1siaX3&12C!F0YzKsCTth0}HoqC8i+u~gSCl%3gg!8)=A*G8;=eZr{a~0G=RDBbH
zx-7X2!pGLT<yW>5eXR{IxIAD&6J8glEty2EbTcK(0gZf0jY5Yy>(n?AQg%GQnHBpf
z5L5EyE-NTFs$FYC3`1+vb97^xga_Ujk|FO}ukE6<3TVAg4)F?M6@ZFJpGwr>4c&WR
z8Sg`zHi`E!>V~J`vLmkO!hV7ulS>ZpBU{(7D0D+lVW|SuuGH0rd{BY!u;FxuZthvG
z`JEg++cHKPMWq*3nLF}li)>30E?8fK)N)uk!8{Z9>0L1%rd87ZGM?Ay2YUAMo7fS0
zII(WVF-{k}8Wc+Gs9=Vw+Kr+8^mzb4+M5lxBjGUs_Wt0uH?QpjkdMt&9x?{A)B)_1
zU3LS{{+zQ9ptv!Oc-osn4ge%aM+HxNBf<gPD=e1{7h0LyLi5TqO@vh$JIhLR;4=zn
zZb-b84N$Z5!0yFgd9&MQE?F>u_3@4}E6ruUX&;|8M%V&f-Ke1F+UT%(5)Fm8uiD^h
z6?E}n4(A)IYF!)=9c_S+7h%aljktonA2_J9@_!EZisN6{G%Vc+(L35NbrtNyw)NC#
zA7-;zI!49!m@){j$+k5GUGpwry0Rr#6J9qm4bpNx#~eMal=0njVpM-grDIRlg*4)X
zr5^N?JZD=PZ8^`QN6WUZH%UkAirRXXK#DA{fHfm(J(scHj>g0yjc6OD<Xu#@FwSFu
z7q(%^n13)K&2bvlwqzT)q{0bKqGog7y?r#snAJG5Qer1Hd#@JVsWWOpim-zI*)66-
zIT51$NdSu+<!@oJlb-#Iw!R&Wsa97^%5K6E8dOS~2N<|uo41~2f-el?Q)+}Oy`GXd
z!@1`$rP}zs<Vv+B7`|qc-iWdbp3;wX;qyWTUO3V0`(ge>h)#eKxH;f;m~_8W$n+e~
z8`nB)rboq`C?rWKl#Ta){mCR<nW}lZNx09EU^I>@&z&=q=(El_`L!}_%#izO7VTHT
zPcBjom0TDlF`1)V@$?1CqnKPgdYn#64-f%&-Vm|#F?;e+ijPugrNa`<R9j`ysYzSX
z7Q<8=L2X;J=z^S-ED70vLB_4vqdpUlrCu!AhgcVYdj$+`iTUOy7t`m-HR(T9;_6P@
zfwH?S?EE!({y=wqtvs%HknDsAcW1sd_87N{dmoJJExVUt!vn)ghawj6oWqLQl6S2X
zObsrXaOA_FW}GUKsNGwPnyq2-=~x<j`<)Q0?5Pt{Wt<ez=X)L)S8KK@Mt5@Av1vW0
zYzQosD%ekvovy(&tc=<0`nd2vTP;j+w@B@gmT6<ET3di%N?zk2TYpI_X9MxNfz9cx
zjkK#s;kJ!Qds5i{p)O6vXHVXhP|@yZHriXYp%tjz>)fBl=h2p}i<4il@r@~P-53=(
zRk^f=eX70_{PZ4Tw>sXCdy>H~x;XUNvQ%-)T_pG43DN3vT=CY?;T5g8_Y;DS#OazH
z+|$~am9g!S^5ii(#xZWbiMZP=c7iy9++DMXF1e%Xu0-Y>H~Ldm{B|91T}EiZtgI*3
z2HeJA$6PnU@%9CWuz2@knag<So-+yKpc5|!2B^rh*zXQU2_Vnj-MOOQzVF<T+IKt}
Oo@!4|n*6mFv7Z3i9m}r(

delta 179
zcmexnv58%$|9{O-Mg|535EfuyVCel{^OK)}fg#vc!6!4Xv_io*KczG$m5G6Yfor0H
z0;9piKn;GF1`tTg%$c|-gcqa$gvCH+P0nLfnjFQ*&&WMFi&0_nenz{=iA*w+C7CoP
z*D^^=-pj->`3Q@^#9IQBd6{`8OEQT}=42LNWS(5dY(6=VSp+OHm)T&lF0;zyv&=P&
OOq1hTG$*fR(FXwNZ7RY5

diff --git a/roles/nagios_client/files/selinux/fi-nrpe.te b/roles/nagios_client/files/selinux/fi-nrpe.te
index 91bcdcc972..b43802782a 100644
--- a/roles/nagios_client/files/selinux/fi-nrpe.te
+++ b/roles/nagios_client/files/selinux/fi-nrpe.te
@@ -1,11 +1,15 @@
-module fi-nrpe 1.0;
+module fi-nrpe 1.1;
 
 require {
     type nagios_system_plugin_t;
+    type nagios_admin_plugin_t;
     type nrpe_exec_t;
-    class file getattr;
+    type bin_t;
+    class file { getattr map execute };
 }
 
 #============= nagios_system_plugin_t ==============
 allow nagios_system_plugin_t nrpe_exec_t:file getattr;
 
+# This is needed for e.g. check_file_age, which is a perl script
+allow nagios_admin_plugin_t bin_t:file { map execute };