common: Update nrpe SELinux policy

This should've been done when smart.sh replaced smart.pl.
I just didn't notice smart.sh was getting denied by SELinux until I
started monitoring disks in Octo.  Evidently the new script requires
much more permission to run.

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/roles/common/files/nagios/nrpe.te b/roles/common/files/nagios/nrpe.te
index c7bc8860dd47e8d641237b89fd224e30cbbaa8fb..5c2bef44cf84c9c7cd925d0f3f1dcff826148c7f 100644 (file)
--- a/roles/common/files/nagios/nrpe.te
+++ b/roles/common/files/nagios/nrpe.te
@@ -2,11 +2,26 @@ module nrpe 1.0;
 
 require {
        type fsadm_exec_t;
+       type tmp_t;
+       type fixed_disk_device_t;
        type nrpe_t;
        type hwdata_t;
-       class file { read getattr open };
+       class capability { dac_read_search sys_admin sys_rawio dac_override };
+       class blk_file { read getattr open ioctl };
+       class unix_dgram_socket sendto;
+       class dir { write remove_name search add_name };
+       class file { execute read create execute_no_trans write getattr unlink
+open };
 }
 
 #============= nrpe_t ==============
-allow nrpe_t fsadm_exec_t:file getattr;
+
+allow nrpe_t fixed_disk_device_t:blk_file { read getattr open ioctl };
+allow nrpe_t fsadm_exec_t:file { read execute open getattr execute_no_trans };
+allow nrpe_t hwdata_t:dir search;
 allow nrpe_t hwdata_t:file { read getattr open };
+allow nrpe_t self:capability { dac_read_search sys_admin dac_override sys_rawio };
+allow nrpe_t self:unix_dgram_socket sendto;
+allow nrpe_t tmp_t:dir { write remove_name add_name };
+allow nrpe_t tmp_t:file unlink;
+allow nrpe_t tmp_t:file { write create open };