[checkmk-commits] Check_MK Git: check_mk: Added selinux configuration by Maarten to treasures

Module: check_mk Branch: master Commit: 88a48330e0141568bdb22dadbef4ddce2e558f1a URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=88a48330e01415… Author: Mathias Kettner <mk(a)mathias-kettner.de> Date: Mon Jun 29 11:17:24 2015 +0200 Added selinux configuration by Maarten to treasures --- doc/treasures/selinux/README | 9 ++++++ doc/treasures/selinux/omd.fc | 6 ++++ doc/treasures/selinux/omd.pp | Bin 0 -> 6391 bytes doc/treasures/selinux/omd.te | 66 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 81 insertions(+) diff --git a/doc/treasures/selinux/README b/doc/treasures/selinux/README new file mode 100644 index 0000000..d4f0c7a --- /dev/null +++ b/doc/treasures/selinux/README @@ -0,0 +1,9 @@ +Here is an untested configuration for running OMD with selinux enabled. +This is how you can install it (as root): + +# setsebool -P httpd_can_network_connect on +# touch /.autorelabel +# semodule -i omd.pp +# reboot + +Many thanks to Maarten Vanraes who provided it. diff --git a/doc/treasures/selinux/omd.fc b/doc/treasures/selinux/omd.fc new file mode 100644 index 0000000..8507f94 --- /dev/null +++ b/doc/treasures/selinux/omd.fc @@ -0,0 +1,6 @@ +/opt/omd/sites/(.+)/etc(/.*)? system_u:object_r:httpd_nagios_rw_content_t:s0 +/opt/omd/sites/(.+)/var(/.*)? system_u:object_r:httpd_nagios_rw_content_t:s0 +/opt/omd/sites/(.+)/tmp(/.*)? system_u:object_r:tmp_t:s0 +/opt/omd/sites/(.+)/lib(/.*)? system_u:object_r:lib_t:s0 +/opt/omd/sites/(.+)/bin(/.*)? system_u:object_r:bin_t:s0 +/opt/omd/sites/(.+)/var/log/apache(/.*)? system_u:object_r:httpd_log_t:s0 diff --git a/doc/treasures/selinux/omd.pp b/doc/treasures/selinux/omd.pp new file mode 100644 index 0000000..4bd3c51 Binary files /dev/null and b/doc/treasures/selinux/omd.pp differ diff --git a/doc/treasures/selinux/omd.te b/doc/treasures/selinux/omd.te new file mode 100644 index 0000000..923d70e --- /dev/null +++ b/doc/treasures/selinux/omd.te @@ -0,0 +1,66 @@ + +module omd 1.0; + +require { + type unconfined_t; + type httpd_t; + type default_t; + type admin_home_t; + type sysstat_t; + type system_cronjob_t; + type syslogd_t; + type system_dbusd_t; + type snmpd_var_lib_t; + type postfix_spool_t; + type postfix_spool_maildrop_t; + type inetd_t; + type crond_t; + type mount_t; + type initrc_t; + type initrc_state_t; + type commplex_port_t; + type tmpfs_t; + type usr_t; + type lib_t; + type httpd_nagios_rw_content_t; + class file {execute execute_no_trans read open getattr write unlink setattr ioctl lock}; + class process {signull signal sigkill setfscreate setrlimit}; + class fifo_file {getattr read write open}; + class tcp_socket name_bind; + class lnk_file {read getattr}; + class sock_file {write getattr unlink}; + class unix_stream_socket connectto; + class capability net_raw; + class rawip_socket {create write setopt read}; + class dir {search getattr setattr write}; +} + +#============= httpd_t ============== +allow httpd_t commplex_port_t:tcp_socket name_bind; +allow httpd_t default_t:lnk_file {read getattr}; +allow httpd_t tmpfs_t:sock_file {write getattr unlink}; +allow httpd_t tmpfs_t:dir setattr; +allow httpd_t tmpfs_t:fifo_file {getattr read write open}; +allow httpd_t initrc_t:unix_stream_socket connectto; +allow httpd_t initrc_t:dir {getattr search}; +allow httpd_t initrc_t:file {read open}; +allow httpd_t initrc_t:process {signull signal sigkill}; +allow httpd_t initrc_state_t:file {read open getattr write unlink setattr ioctl lock}; +allow httpd_t httpd_nagios_rw_content_t:file {execute execute_no_trans}; +allow httpd_t usr_t:file {execute execute_no_trans}; +allow httpd_t crond_t:dir getattr; +allow httpd_t inetd_t:dir getattr; +allow httpd_t syslogd_t:dir getattr; +allow httpd_t system_cronjob_t:dir getattr; +allow httpd_t system_dbusd_t:dir getattr; +allow httpd_t snmpd_var_lib_t:dir { getattr search }; +allow httpd_t unconfined_t:dir getattr; +allow httpd_t lib_t:file {execute_no_trans}; +allow httpd_t self:process {setfscreate setrlimit}; +allow httpd_t self:capability net_raw; +allow httpd_t self:rawip_socket {create write setopt read}; +allow httpd_t postfix_spool_t:dir search; +allow httpd_t postfix_spool_maildrop_t:dir search; + +#============= mount_t ============== +allow mount_t default_t:lnk_file read;