From: David Galloway <dgallowa@redhat.com>
Date: Wed, 13 Jul 2016 00:59:13 +0000 (-0400)
Subject: common: Update nrpe SELinux policy
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F265%2Fhead;p=ceph-cm-ansible.git

common: Update nrpe SELinux policy

This should've been done when smart.sh replaced smart.pl.
I just didn't notice smart.sh was getting denied by SELinux until I
started monitoring disks in Octo.  Evidently the new script requires
much more permission to run.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---

diff --git a/roles/common/files/nagios/nrpe.te b/roles/common/files/nagios/nrpe.te
index c7bc8860..5c2bef44 100644
--- a/roles/common/files/nagios/nrpe.te
+++ b/roles/common/files/nagios/nrpe.te
@@ -2,11 +2,26 @@ module nrpe 1.0;
 
 require {
 	type fsadm_exec_t;
+	type tmp_t;
+	type fixed_disk_device_t;
 	type nrpe_t;
 	type hwdata_t;
-	class file { read getattr open };
+	class capability { dac_read_search sys_admin sys_rawio dac_override };
+	class blk_file { read getattr open ioctl };
+	class unix_dgram_socket sendto;
+	class dir { write remove_name search add_name };
+	class file { execute read create execute_no_trans write getattr unlink
+open };
 }
 
 #============= nrpe_t ==============
-allow nrpe_t fsadm_exec_t:file getattr;
+
+allow nrpe_t fixed_disk_device_t:blk_file { read getattr open ioctl };
+allow nrpe_t fsadm_exec_t:file { read execute open getattr execute_no_trans };
+allow nrpe_t hwdata_t:dir search;
 allow nrpe_t hwdata_t:file { read getattr open };
+allow nrpe_t self:capability { dac_read_search sys_admin dac_override sys_rawio };
+allow nrpe_t self:unix_dgram_socket sendto;
+allow nrpe_t tmp_t:dir { write remove_name add_name };
+allow nrpe_t tmp_t:file unlink;
+allow nrpe_t tmp_t:file { write create open };