From a792adea1329ed49d63c412fb3dc045af5960d1c Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@redhat.com>
Date: Tue, 21 Aug 2018 17:24:58 +0000
Subject: [PATCH] add in selinux for nagios servers

---
 .../files/selinux/nagios_nrpe.mod             | Bin 0 -> 1737 bytes
 .../files/selinux/nagios_nrpe.pp              | Bin 0 -> 1753 bytes
 .../files/selinux/nagios_nrpe.te              |  32 ++++++++++++++++++
 roles/nagios_server/tasks/main.yml            |  12 +++++++
 4 files changed, 44 insertions(+)
 create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.mod
 create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.pp
 create mode 100644 roles/nagios_server/files/selinux/nagios_nrpe.te

diff --git a/roles/nagios_server/files/selinux/nagios_nrpe.mod b/roles/nagios_server/files/selinux/nagios_nrpe.mod
new file mode 100644
index 0000000000000000000000000000000000000000..80aff88bebccf434b0ba108b4cd7619d0b46ee9e
GIT binary patch
literal 1737
zcmb`HOKuZE5QdF;Bmp6iSdmR~0u*jg8+Neb03$PQlE(IoHPa(N;tCv?71THGKhq>Q
zi4=b6uXpv!<NEpg$FCQ&+3e%H)Az9%zMXz(m%}>DJ@m@?z<KBd&z#NTJhpw+bldRI
z-M4Sf%+*!U4WH(Od^AY)w(8q@71Cq(h<@#23Xj}i!!9hA2d)7=J3+AR+B)?86E_L<
z@jNyc>_cJGE>a)rp$kXuv2M4Ho0z<WG~_a9(0=+7>Qr?$dONYtR!N!X@K9@N4{8mO
zksmE_Xx&j~FcrDxRjc&cEslQ6YV}2^SIgM1s_lC4N2t=VH}NL7G!9MOHlJe?mY1E+
zy^D+N>+HYxDQv3EBCf0CbvHtbpam_CZ<)$-S74)@1U^)qK0{(9$g_s7PR=sbD^0wF
zxdWBw*8w)lNsxzpm8vzjp?qm#CCnYD{7biijdBv?;Z1w&djs=6s6FOx0~_Te{^uTd
zd8=vXon=J;8|uvZhZ7Ub4XBzEw}FjvC+=d;y_7nrwKQR_#`m4WTSr*dsQcK(GWRmM
z8v}3}s`{1D+%nJ1GK|f~q!Gv>%4?))Y$=Xrgzd&u8D(VU>g!{vEM!FG!hejRvXYVX
L*VrkOp1X!W#Snu#

literal 0
HcmV?d00001

diff --git a/roles/nagios_server/files/selinux/nagios_nrpe.pp b/roles/nagios_server/files/selinux/nagios_nrpe.pp
new file mode 100644
index 0000000000000000000000000000000000000000..857c18b5578fe9da80ba4a0c424201320cfab10b
GIT binary patch
literal 1753
zcmb`HO>PrG5QU8cB!Cb|tipzz0KpAv!wyy)U}VOfq_I6?P4@_pxB}w5tf0Q}Jf@T2
zBvN?NtN-dhkL%~}@4xQNW;6KQ`NREZu0Oszc^{kp>&b_9*{{RgLob|^9XY`hXR|nq
zZK|4X8xGuk`}&Q!x(vGE<1ry04RXD$Qd_S=e&8O_FI~*xz8h@Vg~jsFHNa;l2)12Y
zhm;<=Nhrm$*qpNug-yH2Db#%z9=XT5-8yb!_7c*N%b-E~>2s)a)!E?f#6DXkWuC)B
zt*JezHN=SV(K3hD9d!m%k!xPH%ExYT^cz;I&qKXh#<Z%o>)s!s$}hc%H@Ts)Z|b%=
zjZIko?R@H8Tx4Ho`j&FoRGURySJ~^Xg%&{zS{&a-D$iYk4RR9rP<8qYiIpJF8oD|;
z8>wDt;w8)-s64+8ut83OJmjlXt+@^5OA{+$?m*@F*8v;kB*??-_Sp9Z=6z6m%-sey
z$VvRqJ#O<>)6P4~iU2m$ne`7RCYT#gHLu(THprd0jXn2L>Y&!rgt;8wcMfkIV53Ie
z#V(e)lgZr}fYVUbuZ-rF<IF6>*nCVHfh?lDMw-T!;%G+LZcLR?M%Gw;bu5*IjHt2j
SA7iMjWF%b}J7v;ySMUehdWKK{

literal 0
HcmV?d00001

diff --git a/roles/nagios_server/files/selinux/nagios_nrpe.te b/roles/nagios_server/files/selinux/nagios_nrpe.te
new file mode 100644
index 0000000000..098dd49488
--- /dev/null
+++ b/roles/nagios_server/files/selinux/nagios_nrpe.te
@@ -0,0 +1,32 @@
+module nagios_nrpe 1.0;
+
+require {
+        type nagios_t;
+        type nagios_checkdisk_plugin_t;
+        type nagios_unconfined_plugin_t;
+        type nrpe_t;
+        type system_mail_t;
+        class process { noatsecure rlimitinh siginh };
+        class tcp_socket { read write };
+}
+
+#============= nagios_checkdisk_plugin_t ==============
+# src="nagios_checkdisk_plugin_t" tgt="nrpe_t" class="tcp_socket", perms="{ read write }"
+# comm="check_disk" exe="" path="socket:[270138836]"
+allow nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write };
+
+#============= nagios_t ==============
+# src="nagios_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
+# comm="check_ping" exe="" path=""
+allow nagios_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };
+# src="nagios_t" tgt="system_mail_t" class="process", perms="{ noatsecure rlimitinh siginh }"
+# comm="sendmail" exe="" path=""
+allow nagios_t system_mail_t:process { noatsecure rlimitinh siginh };
+
+#============= nrpe_t ==============
+# src="nrpe_t" tgt="nagios_checkdisk_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
+# comm="check_disk" exe="" path=""
+allow nrpe_t nagios_checkdisk_plugin_t:process { noatsecure rlimitinh siginh };
+# src="nrpe_t" tgt="nagios_unconfined_plugin_t" class="process", perms="{ noatsecure rlimitinh siginh }"
+# comm="check_swap" exe="" path=""
+allow nrpe_t nagios_unconfined_plugin_t:process { noatsecure rlimitinh siginh };
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index fc25dc0511..e91a075395 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -468,3 +468,15 @@
   when: selinux_module is changed
   tags:
   - nagios_server
+
+- name: Copy over our custom selinux module
+  copy: src=selinux/nagios_nrpe.pp dest=/usr/local/share/nagios-policy/nagios_nrpe.pp
+  register: selinux_module2
+  tags:
+  - nagios_server
+
+- name: Install our custom selinux module
+  command: semodule -i /usr/local/share/nagios-policy/nagios_nrpe.pp
+  when: selinux_module2 is changed
+  tags:
+  - nagios_server