refpolicy (2:0.2.20100524-7+squeeze1) policy/modules/services/nagios.te

Summary

 policy/modules/services/nagios.te |   44 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

    
download this patch

Patch contents

--- refpolicy-0.2.20100524.orig/policy/modules/services/nagios.te
+++ refpolicy-0.2.20100524/policy/modules/services/nagios.te
@@ -144,6 +144,7 @@
 #
 # Nagios CGI local policy
 #
+apache_script_exec_domain(nagios)
 optional_policy(`
 	apache_content_template(nagios)
 	typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -194,6 +195,12 @@
 manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
 files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
 
+type nrpe_tmp_t;
+files_tmp_file(nrpe_tmp_t)
+manage_dirs_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+manage_files_pattern(nrpe_t, nrpe_tmp_t, nrpe_tmp_t)
+files_tmp_filetrans(nrpe_t, nrpe_tmp_t, { file dir })
+
 kernel_read_system_state(nrpe_t)
 kernel_read_kernel_sysctls(nrpe_t)
 
@@ -203,6 +210,16 @@
 corenet_tcp_bind_generic_node(nrpe_t)
 corenet_tcp_bind_inetd_child_port(nrpe_t)
 corenet_sendrecv_unlabeled_packets(nrpe_t)
+corenet_all_recvfrom_unlabeled(nrpe_t)
+corenet_all_recvfrom_netlabel(nrpe_t)
+corenet_tcp_sendrecv_all_if(nrpe_t)
+corenet_tcp_sendrecv_all_nodes(nrpe_t)
+corenet_tcp_sendrecv_generic_port(nrpe_t)
+corenet_tcp_bind_all_nodes(nrpe_t)
+corenet_tcp_bind_nrpe_port(nrpe_t)
+sysnet_dns_name_resolve(nrpe_t)
+
+allow nrpe_t self:netlink_route_socket create_netlink_socket_perms;
 
 dev_read_sysfs(nrpe_t)
 dev_read_urand(nrpe_t)
@@ -224,6 +241,15 @@
 
 userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
 
+domain_read_all_domains_state(nrpe_t)
+fs_getattr_all_fs(nrpe_t)
+storage_getattr_fixed_disk_dev(nrpe_t)
+init_read_utmp(nrpe_t)
+
+term_dontaudit_getattr_all_user_ttys(nrpe_t)
+term_dontaudit_getattr_unallocated_ttys(nrpe_t)
+term_dontaudit_getattr_all_user_ptys(nrpe_t)
+
 optional_policy(`
 	inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
 ')
@@ -271,6 +297,7 @@
 #
 
 allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+dontaudit nagios_mail_plugin_t self:capability { sys_resource };
 
 allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -295,12 +322,18 @@
 ')
 
 optional_policy(`
+	can_exec_sudo(nagios_mail_plugin_t)
+')
+
+optional_policy(`
 	nscd_dontaudit_search_pid(nagios_mail_plugin_t)
 ')
 
 optional_policy(`
 	postfix_stream_connect_master(nagios_mail_plugin_t)
 	posftix_exec_postqueue(nagios_mail_plugin_t)
+	postfix_list_spool(nagios_mail_plugin_t)
+	postfix_read_spool_files(nagios_mail_plugin_t)
 ')
 
 ######################################
@@ -390,3 +423,14 @@
 optional_policy(`
 	unconfined_domain(nagios_unconfined_plugin_t)
 ')
+
+optional_policy(`
+        mysql_tcp_connect(nrpe_t)
+        mysql_stream_connect(nrpe_t)
+       mysql_read_config(nrpe_t)
+')
+
+optional_policy(`
+        postgresql_tcp_connect(nrpe_t)
+        postgresql_stream_connect(nrpe_t)
+')