From 4f0500e711a9f8b7677075472ac5a0e5a674f043 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Tue, 12 Jul 2016 20:59:13 -0400 Subject: [PATCH] common: Update nrpe SELinux policy This should've been done when smart.sh replaced smart.pl. I just didn't notice smart.sh was getting denied by SELinux until I started monitoring disks in Octo. Evidently the new script requires much more permission to run. Signed-off-by: David Galloway --- roles/common/files/nagios/nrpe.te | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/roles/common/files/nagios/nrpe.te b/roles/common/files/nagios/nrpe.te index c7bc886..5c2bef4 100644 --- a/roles/common/files/nagios/nrpe.te +++ b/roles/common/files/nagios/nrpe.te @@ -2,11 +2,26 @@ module nrpe 1.0; require { type fsadm_exec_t; + type tmp_t; + type fixed_disk_device_t; type nrpe_t; type hwdata_t; - class file { read getattr open }; + class capability { dac_read_search sys_admin sys_rawio dac_override }; + class blk_file { read getattr open ioctl }; + class unix_dgram_socket sendto; + class dir { write remove_name search add_name }; + class file { execute read create execute_no_trans write getattr unlink +open }; } #============= nrpe_t ============== -allow nrpe_t fsadm_exec_t:file getattr; + +allow nrpe_t fixed_disk_device_t:blk_file { read getattr open ioctl }; +allow nrpe_t fsadm_exec_t:file { read execute open getattr execute_no_trans }; +allow nrpe_t hwdata_t:dir search; allow nrpe_t hwdata_t:file { read getattr open }; +allow nrpe_t self:capability { dac_read_search sys_admin dac_override sys_rawio }; +allow nrpe_t self:unix_dgram_socket sendto; +allow nrpe_t tmp_t:dir { write remove_name add_name }; +allow nrpe_t tmp_t:file unlink; +allow nrpe_t tmp_t:file { write create open }; -- 2.39.5