forked from lrupp/monitoring-plugins-zypper
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathusr.lib.nagios.plugins.check_zypper
More file actions
173 lines (155 loc) · 5.81 KB
/
usr.lib.nagios.plugins.check_zypper
File metadata and controls
173 lines (155 loc) · 5.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#include <tunables/global>
profile nagios_check_zypper /usr/lib/nagios/plugins/check_zypper {
#include <abstractions/base>
#include <abstractions/perl>
#include <abstractions/consoles>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
/etc/SuSE-release r,
/etc/os-release r,
/{,usr/}bin/grep rix,
/{,usr/}bin/awk rix,
/{,usr/}bin/gawk rix,
/{,usr/}bin/rpm px -> nagios_check_zypper//rpm,
/{,usr/}bin/bash rix,
/{,usr/}bin/sudo Ux,
# as we do not know how people name the ignore file, we
# allow read access to everything below /etc/nagios and /etc/monitoring-plugins/ here
/etc/nagios/** r,
/etc/monitoring-plugins/** r,
/usr/sbin/zypp-refresh-wrapper px -> nagios_check_zypper//zypp-refresh-wrapper,
/usr/bin/zypper px -> nagios_check_zypper//zypper,
profile zypp-refresh-wrapper {
#include <abstractions/base>
#include <abstractions/nameservice>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
capability setuid,
capability setgid,
/usr/sbin/zypp-refresh-wrapper rmix,
/usr/sbin/zypp-refresh px -> nagios_check_zypper//zypp-refresh,
}
profile zypp-refresh {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
#include <abstractions/user-tmp>
#include <abstractions/zypp>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
/var/log/zypp-refresh.log w,
/usr/sbin/zypp-refresh rmix,
/{usr/,}bin/cp rix,
/{usr/,}bin/bash rix,
/usr/bin/rpmdb2solv rix,
/usr/bin/zypper px -> nagios_check_zypper//zypper,
/usr/bin/gpg2 px -> nagios_check_zypper//gpg,
/usr/bin/uuidgen px -> nagios_check_zypper//uuidgen,
/usr/bin/repo2solv.sh px -> nagios_check_zypper//repo2solv,
/var/lib/YaST2/cookies r,
}
profile repo2solv {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/user-tmp>
#include <abstractions/nameservice>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
/usr/bin/repo2solv.sh rmix,
/usr/bin/repomdxml2solv rix,
/usr/bin/rpmmd2solv rix,
/usr/bin/susetags2solv rix,
/usr/bin/updateinfoxml2solv rix,
/usr/bin/deltainfoxml2solv rix,
/usr/bin/mergesolv rix,
/usr/bin/find rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/lzma rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/mktemp rix,
/var/cache/zypp/** rw,
}
profile uuidgen {
#include <abstractions/base>
/usr/bin/uuidgen rmix,
}
profile gpg {
#include <abstractions/base>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
capability ipc_lock,
/usr/bin/gpg2 rmix,
/usr/bin/gpg-agent mrix,
/usr/bin/gpgconf mr,
/usr/bin/gpgsm mr,
/usr/bin/scdaemon px -> nagios_check_zypper//scdaemon,
# maybe abstractions/crypto? (available since AppArmor 3.0)
owner /etc/gcrypt/hwf.deny r,
/proc/sys/crypto/fips_enabled r,
owner /proc/@{pid}/fd/ r,
/var/tmp/TmpFile.* rwk,
/var/tmp/TmpDir.*/* rwlk,
/var/tmp/zypp.*/* rwlk,
/var/tmp/zypp.*/*/* rwlk,
/var/tmp/zypp.*/zypp-trusted-kr*/ r,
/var/tmp/zypp.*/zypp-trusted-kr*/private-keys-v1.d/ w,
/var/cache/zypp/** r,
}
profile scdaemon {
#include <abstractions/base>
# maybe abstractions/crypto? (available since AppArmor 3.0)
/etc/gcrypt/hwf.deny r,
/proc/sys/crypto/fips_enabled r,
owner /proc/@{pid}/task/*/comm rw,
/usr/bin/scdaemon r,
owner /var/tmp/zypp.*/zypp-trusted-kr*/S.scdaemon w,
}
profile zypper {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/zypp>
#include <abstractions/consoles>
#include <abstractions/nameservice>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
/{,usr/}bin/bash rix,
/usr/bin/rpmdb2solv rix,
/usr/bin/zypper rmix,
/usr/lib/sysimage/rpm/Index.db rwlk,
/usr/share/zypper/ r,
/usr/share/zypper/** r,
/usr/bin/gpg2 px -> nagios_check_zypper//gpg,
/usr/bin/gpgconf px -> nagios_check_zypper//gpg,
/usr/bin/gpgsm px -> nagios_check_zypper//gpg,
/usr/bin/uuidgen px -> nagios_check_zypper//uuidgen,
/usr/lib*/libproxy-*/modules/config_gnome3.so mr,
/run/zypp-rpm.pid rwk,
/run/zypp.pid rwk,
/var/log/zypp/history r,
/var/log/zypper.log w,
/proc/sys/kernel/random/uuid r,
}
profile rpm {
#include <abstractions/base>
#include <abstractions/rpm>
#include <abstractions/nameservice>
# if you have additional changes, please add them in the file
# /etc/apparmor.d/local/usr.lib.nagios.plugins.check_zypper
#include <local/usr.lib.nagios.plugins.check_zypper.zypp_refresh>
/{usr/,}bin/rpm rmix,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.nagios.plugins.check_zypper>
}