diff --git a/nrpe.README.SELinux.rst b/nrpe.README.SELinux.rst new file mode 100644 index 0000000..478fdbc --- /dev/null +++ b/nrpe.README.SELinux.rst @@ -0,0 +1,15 @@ +================ +NRPE and SELinux +================ + +While there is an NRPE policy in the default Selinux policies, it does +not meet the needs of the current NRPE software. In working with the +SELinux security group, there is now a need for non-core packages to +carry their own policy in a spec file. + +Following the steps in +https://fedoraproject.org/wiki/SELinux/IndependentPolicy we are adding +the needed subpackage and files. + +Please report bugs as needed and we will try to get them fixed as soon +as possible. diff --git a/nrpe.spec b/nrpe.spec index 1f70e61..d5cc674 100644 --- a/nrpe.spec +++ b/nrpe.spec @@ -5,7 +5,7 @@ Name: nrpe Version: 3.0.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Host/service/network monitoring agent for Nagios Group: Applications/System @@ -14,23 +14,26 @@ URL: http://www.nagios.org Source0: https://github.com/NagiosEnterprises/nrpe/releases/download/3.0.1/nrpe-3.0.1.tar.gz Source1: nrpe.sysconfig Source2: nrpe-tmpfiles.conf +Source3: nrpe.README.SELinux.rst +Source4: nrpe.te +Source5: nrpe.fc +Patch1: nrpe-0001-gitupdates-20170321.patch Patch3: nrpe-0003-Include-etc-npre.d-config-directory.patch Patch10: nrpe-0010-opensslv110-strict.patch Patch11: nrpe-0011-opensslv110-nosslv2.patch Patch12: nrpe-0012-systemd-reloadfix.patch +Patch13: nrpe-0013-service-rhel6.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # For reconfiguration -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -BuildRequires: openssl-devel -BuildRequires: openssl +BuildRequires: autoconf, automake, libtool +BuildRequires: openssl, openssl-devel +BuildRequires: checkpolicy, selinux-policy-devel %if 0%{?fedora} > 17 || 0%{?rhel} > 6 BuildRequires: systemd-units %endif -%if 0%{?el4}%{?el5} +%if 0%{?el5} BuildRequires: tcp_wrappers %else BuildRequires: tcp_wrappers-devel @@ -38,7 +41,7 @@ BuildRequires: tcp_wrappers-devel Requires(pre): %{_sbindir}/useradd -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} Requires(preun): /sbin/service, /sbin/chkconfig Requires(post): /sbin/chkconfig, /sbin/service Requires(postun): /sbin/service @@ -77,14 +80,30 @@ http://sourceforge.net/projects/nagiosplug This package provides the nrpe plugin for Nagios-related applications. +%if 0%{?rhel} > 5 +%package selinux +Summary: SELinux context for %{name} +Group: Applications/System +Requires: %name = %version-%release +Requires(post): policycoreutils +Requires(postun): policycoreutils + + +%description selinux +SElinux context for %{name}. +%endif + %prep %setup -q +%patch1 -p1 -b .git_20170321 %patch3 -p1 -b .include_etc_npre_d %patch10 -p1 -b .opensslv110 %if 0%{?fedora} > 25 %patch11 -p1 -b .opensslv110_nossl2 %endif %patch12 -p1 -b .fix_systemd_reload +%patch13 -p1 -b .fix_service_rhel6 + %build CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" LDFLAGS="%{?__global_ldflags}" \ @@ -103,9 +122,19 @@ CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" LDFLAGS="%{?__global_ldflags}" make %{?_smp_mflags} all +%if 0%{?rhel} > 5 +## SELinux configs +mkdir selinux +install -pm 644 %{SOURCE3} README.SELinux.rst +cp -p %{SOURCE4} selinux/nrpe.te +cp -p %{SOURCE5} selinux/nrpe.fc +touch selinux/nrpe.if +make -f %{_datadir}/selinux/devel/Makefile +%endif + %install rm -rf %{buildroot} -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} install -D -p -m 0755 startup/default-init %{buildroot}/%{_initrddir}/nrpe %else install -D -m 0644 -p startup/default-service %{buildroot}%{_unitdir}/%{name}.service @@ -119,7 +148,10 @@ install -d %{buildroot}%{_localstatedir}/run/%{name} %if 0%{?fedora} > 14 || 0%{?rhel} > 6 install -D -p -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif - +%if 0%{?rhel} >5 +# Selinux configs +install -p -m 644 -D nrpe.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/nrpe.pp +%endif %clean rm -rf %{buildroot} @@ -130,7 +162,7 @@ getent passwd %{name} >/dev/null || \ %{_sbindir}/useradd -c "NRPE user for the NRPE service" -d %{_localstatedir}/run/%{name} -r -g %{name} -s /sbin/nologin %{name} 2> /dev/null || : %preun -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} if [ $1 = 0 ]; then /sbin/service %{name} stop > /dev/null 2>&1 || : /sbin/chkconfig --del %{name} || : @@ -140,14 +172,14 @@ fi %endif %post -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} /sbin/chkconfig --add %{name} || : %else %systemd_post nrpe.service %endif %postun -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} if [ "$1" -ge "1" ]; then /sbin/service %{name} condrestart > /dev/null 2>&1 || : fi @@ -155,8 +187,51 @@ fi %systemd_postun_with_restart nrpe.service %endif +%if 0%{?rhel} >5 +%post selinux +%if 0%{?el5}%{?el6} +if [ "$1" -le "1" ]; then # Fist install + semodule -i %{_datadir}/selinux/packages/%{name}/.pp 2>/dev/null || : + fixfiles -R nrpe restore || : + /sbin/service nrpe condrestart > /dev/null 2>&1 || : +fi +%else +if [ "$1" -le "1" ]; then # Fist install + semodule -i %{_datadir}/selinux/packages/%{name}/.pp 2>/dev/null || : + fixfiles -R nrpe restore || : + %systemd_postun_with_restart nrpe.service +fi +%endif +%endif + +%if 0%{?rhel} >5 +%preun selinux +%if 0%{?el5}%{?el6} +if [ "$1" -lt "1" ]; then # Final removal + semodule -r pureftpd 2>/dev/null || : + fixfiles -R nrpe restore || : + /sbin/service nrpe condrestart > /dev/null 2>&1 || : +fi +%else +if [ "$1" -lt "1" ]; then # Final removal + semodule -r pureftpd 2>/dev/null || : + fixfiles -R nrpe restore || : + %systemd_postun_with_restart nrpe.service +fi +%endif +%endif + +%if 0%{?rhel} >5 +%postun selinux +if [ "$1" -ge "1" ]; then # Upgrade + # Replaces the module if it is already loaded + semodule -i %{_datadir}/selinux/packages/%{name}/pureftpd.pp 2>/dev/null || : + # no need to restart the daemon +fi +%endif + %files -%if 0%{?el4}%{?el5}%{?el6} +%if 0%{?el5}%{?el6} %{_initrddir}/nrpe %else %{_unitdir}/%{name}.service @@ -175,7 +250,19 @@ fi %{_libdir}/nagios/plugins/check_nrpe %doc Changelog LEGAL README.md +%if 0%{?rhel} > 5 +%files selinux +%doc README.SELinux.rst +%{_datadir}/selinux/packages/%{name}/nrpe.pp +%endif + %changelog +* Wed Mar 22 2017 Stephen Smoogen - 3.0.1-5 +- Put in patches from GIT to fix noise problems +- Put in patch for RHEL6 systems to regain vars +- Put in initial patch for selinux on EPEL +- Remove el4 macros as this won't work there anyway. + * Fri Mar 3 2017 Stephen Smoogen - 3.0.1-5 - Remember to add the patch so it can build. diff --git a/nrpe.te b/nrpe.te new file mode 100644 index 0000000..d655356 --- /dev/null +++ b/nrpe.te @@ -0,0 +1,27 @@ +# this file was contributed by David Galloway. Thank you. +module nrpe 1.0; + +require { + type fsadm_exec_t; + type tmp_t; + type fixed_disk_device_t; + type nrpe_t; + type hwdata_t; + class capability { dac_read_search sys_admin sys_rawio dac_override }; + class blk_file { read getattr open ioctl }; + class unix_dgram_socket sendto; + class dir { write remove_name search add_name }; + class file { execute read create execute_no_trans write getattr unlink open }; + } + +#============= nrpe_t ============== + +allow nrpe_t fixed_disk_device_t:blk_file { read getattr open ioctl }; +allow nrpe_t fsadm_exec_t:file { read execute open getattr execute_no_trans }; +allow nrpe_t hwdata_t:dir search; +allow nrpe_t hwdata_t:file { read getattr open }; +allow nrpe_t self:capability { dac_read_search sys_admin dac_override sys_rawio }; +allow nrpe_t self:unix_dgram_socket sendto; +allow nrpe_t tmp_t:dir { write remove_name add_name }; +allow nrpe_t tmp_t:file unlink; +allow nrpe_t tmp_t:file { write create open };