#-- Start nagios_plugin_checkum.te
module nagios_plugin_checkyum 1.0.4;
require {
type usr_t;
type boot_t;
type admin_home_t;
type rpm_var_lib_t;
type tmp_t;
type rpm_var_cache_t;
type nrpe_t;
type sudo_exec_t;
type http_port_t;
type rpm_exec_t;
class capability { sys_nice audit_write };
class tcp_socket name_connect;
class file { rename execute setattr read lock create ioctl execute_no_trans write getattr unlink open };
class netlink_audit_socket { write nlmsg_relay create read };
class lnk_file read;
class dir { search read write getattr remove_name open add_name };
}
#============= nrpe_t ==============
allow nrpe_t admin_home_t:dir search;
allow nrpe_t boot_t:dir { read getattr open };
allow nrpe_t http_port_t:tcp_socket name_connect;
allow nrpe_t rpm_exec_t:file { execute getattr read open ioctl execute_no_trans };
allow nrpe_t rpm_var_cache_t:dir { search getattr };
allow nrpe_t rpm_var_cache_t:dir { write read open add_name remove_name };
allow nrpe_t rpm_var_cache_t:file { rename create unlink setattr };
allow nrpe_t rpm_var_cache_t:file { write read getattr open lock };
allow nrpe_t rpm_var_lib_t:dir add_name;
allow nrpe_t rpm_var_lib_t:dir write;
allow nrpe_t rpm_var_lib_t:dir { getattr search };
allow nrpe_t rpm_var_lib_t:file create;
allow nrpe_t rpm_var_lib_t:file write;
allow nrpe_t rpm_var_lib_t:file { read lock getattr open };
allow nrpe_t self:capability { sys_nice audit_write };
allow nrpe_t self:netlink_audit_socket { write nlmsg_relay create read };
allow nrpe_t sudo_exec_t:file { read execute open execute_no_trans };
allow nrpe_t tmp_t:dir { read write add_name remove_name };
allow nrpe_t tmp_t:file { rename setattr read lock create write getattr unlink open };
allow nrpe_t usr_t:file { read getattr open };
allow nrpe_t usr_t:lnk_file read;
#-- End nagios_plugin_checkum.te
And you'll need to add something like the following to your /etc/sudoers file
nagios ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/check_yum
And you need to comment out the following line in the sudores file, otherwise nrpe won't be able to parse the return
#Defaults requiretty
References
Appreciate the update to the policy to operate with sudo, however I'm still having an issue.
ReplyDeleteAfter replacing the old policy, I'm getting the following audit messages:
type=AVC msg=audit(1332877559.185:140889): avc: denied { execute } for pid=14638 comm="sudo" name="check_yum" dev=dm-0 ino=534851 scontext=unconfined_u:system_r:nrpe_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1332877559.185:140889): arch=40000003 syscall=11 success=no exit=-13 a0=23897e0 a1=bff2d628 a2=2389808 a3=bff2d628 items=0 ppid=14637 pid=14638 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4845 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:system_r:nrpe_t:s0 key=(null)
Setting selinux to non-enforcing results in the command completing properly.