Module: check_mk
Branch: master
Commit: 88a48330e0141568bdb22dadbef4ddce2e558f1a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=88a48330e01415…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Mon Jun 29 11:17:24 2015 +0200
Added selinux configuration by Maarten to treasures
---
doc/treasures/selinux/README | 9 ++++++
doc/treasures/selinux/omd.fc | 6 ++++
doc/treasures/selinux/omd.pp | Bin 0 -> 6391 bytes
doc/treasures/selinux/omd.te | 66 ++++++++++++++++++++++++++++++++++++++++++
4 files changed, 81 insertions(+)
diff --git a/doc/treasures/selinux/README b/doc/treasures/selinux/README
new file mode 100644
index 0000000..d4f0c7a
--- /dev/null
+++ b/doc/treasures/selinux/README
@@ -0,0 +1,9 @@
+Here is an untested configuration for running OMD with selinux enabled.
+This is how you can install it (as root):
+
+# setsebool -P httpd_can_network_connect on
+# touch /.autorelabel
+# semodule -i omd.pp
+# reboot
+
+Many thanks to Maarten Vanraes who provided it.
diff --git a/doc/treasures/selinux/omd.fc b/doc/treasures/selinux/omd.fc
new file mode 100644
index 0000000..8507f94
--- /dev/null
+++ b/doc/treasures/selinux/omd.fc
@@ -0,0 +1,6 @@
+/opt/omd/sites/(.+)/etc(/.*)? system_u:object_r:httpd_nagios_rw_content_t:s0
+/opt/omd/sites/(.+)/var(/.*)? system_u:object_r:httpd_nagios_rw_content_t:s0
+/opt/omd/sites/(.+)/tmp(/.*)? system_u:object_r:tmp_t:s0
+/opt/omd/sites/(.+)/lib(/.*)? system_u:object_r:lib_t:s0
+/opt/omd/sites/(.+)/bin(/.*)? system_u:object_r:bin_t:s0
+/opt/omd/sites/(.+)/var/log/apache(/.*)? system_u:object_r:httpd_log_t:s0
diff --git a/doc/treasures/selinux/omd.pp b/doc/treasures/selinux/omd.pp
new file mode 100644
index 0000000..4bd3c51
Binary files /dev/null and b/doc/treasures/selinux/omd.pp differ
diff --git a/doc/treasures/selinux/omd.te b/doc/treasures/selinux/omd.te
new file mode 100644
index 0000000..923d70e
--- /dev/null
+++ b/doc/treasures/selinux/omd.te
@@ -0,0 +1,66 @@
+
+module omd 1.0;
+
+require {
+ type unconfined_t;
+ type httpd_t;
+ type default_t;
+ type admin_home_t;
+ type sysstat_t;
+ type system_cronjob_t;
+ type syslogd_t;
+ type system_dbusd_t;
+ type snmpd_var_lib_t;
+ type postfix_spool_t;
+ type postfix_spool_maildrop_t;
+ type inetd_t;
+ type crond_t;
+ type mount_t;
+ type initrc_t;
+ type initrc_state_t;
+ type commplex_port_t;
+ type tmpfs_t;
+ type usr_t;
+ type lib_t;
+ type httpd_nagios_rw_content_t;
+ class file {execute execute_no_trans read open getattr write unlink setattr ioctl
lock};
+ class process {signull signal sigkill setfscreate setrlimit};
+ class fifo_file {getattr read write open};
+ class tcp_socket name_bind;
+ class lnk_file {read getattr};
+ class sock_file {write getattr unlink};
+ class unix_stream_socket connectto;
+ class capability net_raw;
+ class rawip_socket {create write setopt read};
+ class dir {search getattr setattr write};
+}
+
+#============= httpd_t ==============
+allow httpd_t commplex_port_t:tcp_socket name_bind;
+allow httpd_t default_t:lnk_file {read getattr};
+allow httpd_t tmpfs_t:sock_file {write getattr unlink};
+allow httpd_t tmpfs_t:dir setattr;
+allow httpd_t tmpfs_t:fifo_file {getattr read write open};
+allow httpd_t initrc_t:unix_stream_socket connectto;
+allow httpd_t initrc_t:dir {getattr search};
+allow httpd_t initrc_t:file {read open};
+allow httpd_t initrc_t:process {signull signal sigkill};
+allow httpd_t initrc_state_t:file {read open getattr write unlink setattr ioctl lock};
+allow httpd_t httpd_nagios_rw_content_t:file {execute execute_no_trans};
+allow httpd_t usr_t:file {execute execute_no_trans};
+allow httpd_t crond_t:dir getattr;
+allow httpd_t inetd_t:dir getattr;
+allow httpd_t syslogd_t:dir getattr;
+allow httpd_t system_cronjob_t:dir getattr;
+allow httpd_t system_dbusd_t:dir getattr;
+allow httpd_t snmpd_var_lib_t:dir { getattr search };
+allow httpd_t unconfined_t:dir getattr;
+allow httpd_t lib_t:file {execute_no_trans};
+allow httpd_t self:process {setfscreate setrlimit};
+allow httpd_t self:capability net_raw;
+allow httpd_t self:rawip_socket {create write setopt read};
+allow httpd_t postfix_spool_t:dir search;
+allow httpd_t postfix_spool_maildrop_t:dir search;
+
+#============= mount_t ==============
+allow mount_t default_t:lnk_file read;