initial version

agents/plugins/selinux

@@ -35,10 +35,11 @@
 
 if command sestatus > /dev/null ; then
     # Selinux status
-    echo '<<<selinux>>>'
+    status=`sestatus | grep "SELinux status:" | awk '{print $3}'`
-    sestatus | grep "SELinux status:" | awk '{print $3}'
     # the current mode
-    sestatus | grep "Current mode:" | awk '{print $3}'
+    curmode=`sestatus | grep "Current mode:" | awk '{print $3}'`
     # the mode from file
-    sestatus | grep "Mode from config file:" | awk '{print $5}'
+    filemode=`sestatus | grep "Mode from config file:" | awk '{print $5}'`
+    echo '<<<selinux>>>'
+    echo $status $curmode $filemode
 fi

checks/selinux

@@ -0,0 +1,40 @@
+#!/usr/bin/env python
+#
+# Author: Marius Pana <mp@spearhead.systems>
+
+factory_settings["selinux_default_levels"] = {
+    "modedisabled" : 0,
+    "curmodepermissive" : 1,
+    "filemodepermissive" : 2,
+}
+
+def inventory_selinux(info):
+    inventory = []
+    for line in info:
+        # inventory.append( (line[0], "selinux_default_levels") )
+        yield line[0], selinux_default_levels
+    # return inventory
+
+def check_selinux(item, params, info):
+    for line in info:
+        state = 0
+        if line[0] == 'disabled':
+            state = params["modedisabled"]
+            return (state, "SELinux is disabled")
+        elif line[0] == 'enabled' and line[1] == "permissive" and line[2] == "enforcing":
+            state = params["curmodepermissive"]
+            return (state, "SELinux is in permissive mode but config file is enfocring.")
+        elif line[2] == "permissive":
+            state = params["filemodepermissive"]
+            return (state, "SELinux is in permissive mode.")
+        else:
+            return(3, "SELinux not found in agent output")
+
+check_info["selinux"] = {
+    "inventory_function"        : inventory_selinux,
+    "check_function"            : check_selinux,
+    "has_perfdata"              : False,
+    "service_description"       : "SELinux status",
+    "default_levels_variable"   : "selinux_default_levels",
+    'group':                    'selinux',
+}

web/plugins/wato/selinux_check_parameters.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# 2018 Marius Pana <mp@spearhead.systems>
+
+register_check_parameters(
+    subgroup_os,
+    "selinux",
+    _("SELinux"),
+    Dictionary(
+        elements = [
+            ( "modedisabled",
+               MonitoringState(
+                  title = _("State when SELinux is disabled"),
+                  default_value = 2,
+            )),
+            ( "curmodepermissive",
+               MonitoringState(
+                  title = _("State when SELinux current mode is permissive"),
+                  default_value = 1,
+            )),
+            ( "filemodepermissive",
+               MonitoringState(
+                  title = _("State when SELinux file mode is permissive"),
+                  default_value = 2,
+            )),
+        ]
+    ),
+    None,
+    match_type = "dict",
+)