# DESC nrpe - Nagios Remote Plugin Execution
#
# Author: Thomas Bleher <ThomasBleher@gmx.de>
#
# Depends: tcpd.te
# X-Debian-Packages: nagios-nrpe-server
#
# This policy assumes that nrpe is called from inetd

daemon_base_domain(nrpe)
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
')
domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)

allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };

allow nrpe_t self:fifo_file rw_file_perms;
allow nrpe_t self:unix_dgram_socket create_socket_perms;
# use sockets inherited from inetd
allow nrpe_t inetd_t:tcp_socket { ioctl read write };
allow nrpe_t devtty_t:chr_file { read write };

allow nrpe_t self:process setpgid;

etc_domain(nrpe)
read_locale(nrpe_t)

# permissions for the scripts executed by nrpe
#
# call shell programs
can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
allow nrpe_t { bin_t sbin_t }:dir search;
# for /bin/sh
allow nrpe_t bin_t:lnk_file read;

# read /proc/meminfo, /proc/self/mounts and /etc/mtab
allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };

# you will have to add more permissions here, depending on the scripts you call!