Chris PeBenito 31b7c0
# DESC nrpe - Nagios Remote Plugin Execution
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Thomas Bleher <ThomasBleher@gmx.de>
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Depends: tcpd.te
Chris PeBenito 31b7c0
# X-Debian-Packages: nagios-nrpe-server
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# This policy assumes that nrpe is called from inetd
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
daemon_base_domain(nrpe)
Chris PeBenito 31b7c0
ifdef(`tcpd.te', `
Chris PeBenito 31b7c0
domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nrpe_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow nrpe_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
# use sockets inherited from inetd
Chris PeBenito 31b7c0
allow nrpe_t inetd_t:tcp_socket { ioctl read write };
Chris PeBenito 31b7c0
allow nrpe_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nrpe_t self:process setpgid;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
etc_domain(nrpe)
Chris PeBenito 31b7c0
read_locale(nrpe_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# permissions for the scripts executed by nrpe
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# call shell programs
Chris PeBenito 31b7c0
can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
Chris PeBenito 31b7c0
allow nrpe_t { bin_t sbin_t }:dir search;
Chris PeBenito 31b7c0
# for /bin/sh
Chris PeBenito 31b7c0
allow nrpe_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# read /proc/meminfo, /proc/self/mounts and /etc/mtab
Chris PeBenito 31b7c0
allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# you will have to add more permissions here, depending on the scripts you call!