WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-30 05:20:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

add in selinux for nagios servers

Browse Source
This commit is contained in:
Stephen Smoogen
2018-08-21 17:24:58 +00:00
parent 42355920a9
commit a792adea13
4 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
roles/nagios_server/files/selinux/nagios_nrpe.mod Normal file
View File

Binary file not shown.

BIN
roles/nagios_server/files/selinux/nagios_nrpe.pp Normal file
View File

Binary file not shown.

32
roles/nagios_server/files/selinux/nagios_nrpe.te Normal file
View File

@@ -0,0 +1,32 @@
module nagios_nrpe 1.0;
require {
type nagios_t;
type nagios_checkdisk_plugin_t;
type nagios_unconfined_plugin_t;
type nrpe_t;
type system_mail_t;
class process { noatsecure rlimitinh siginh };
class tcp_socket { read write };
}
#============= nagios_checkdisk_plugin_t ==============
# src="nagios_checkdisk_plugin_t" tgt="nrpe_t" class="tcp_socket", perms="{ read write }"
# comm="check_disk" exe="" path="socket:[270138836]"
allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write };
#============= nagios_t ==============
# src="nagios_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
# comm="check_ping" exe="" path=""
allow nagios_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };
# src="nagios_t" tgt="system_mail_t" class="process", perms="{ noatsecure rlimitinh siginh }"
# comm="sendmail" exe="" path=""
allow nagios_t system_mail_t:process { noatsecure rlimitinh siginh };
#============= nrpe_t ==============
# src="nrpe_t" tgt="nagios_checkdisk_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
# comm="check_disk" exe="" path=""
allow nrpe_t nagios_checkdisk_plugin_t:process { noatsecure rlimitinh siginh };
# src="nrpe_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
# comm="check_swap" exe="" path=""
allow nrpe_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };

12
roles/nagios_server/tasks/main.yml
View File

@@ -468,3 +468,15 @@
when: selinux_module is changed
tags:
- nagios_server
- name: Copy over our custom selinux module
copy: src=selinux/nagios_nrpe.pp dest=/usr/local/share/nagios-policy/nagios_nrpe.pp
register: selinux_module2
tags:
- nagios_server
- name: Install our custom selinux module
command: semodule -i /usr/local/share/nagios-policy/nagios_nrpe.pp
when: selinux_module2 is changed
tags:
- nagios_server