1 |
blueness 11/06/30 10:04:18 |
2 |
|
3 |
Added: fix-services-zabbix-r1.patch |
4 |
Log: |
5 |
Make sure zabbix agent works, bump to EAPI=4 |
6 |
|
7 |
(Portage version: 2.1.9.42/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: fix-services-zabbix-r1.patch |
16 |
=================================================================== |
17 |
--- services/zabbix.te 2010-12-13 15:11:02.000000000 +0100 |
18 |
+++ services/zabbix.te 2011-06-13 11:44:56.271000342 +0200 |
19 |
@@ -9,9 +9,16 @@ |
20 |
type zabbix_exec_t; |
21 |
init_daemon_domain(zabbix_t, zabbix_exec_t) |
22 |
|
23 |
+type zabbix_agent_t; |
24 |
+type zabbix_agent_exec_t; |
25 |
+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) |
26 |
+ |
27 |
type zabbix_initrc_exec_t; |
28 |
init_script_file(zabbix_initrc_exec_t) |
29 |
|
30 |
+type zabbix_agent_initrc_exec_t; |
31 |
+init_script_file(zabbix_agent_initrc_exec_t) |
32 |
+ |
33 |
# log files |
34 |
type zabbix_log_t; |
35 |
logging_log_file(zabbix_log_t) |
36 |
@@ -20,6 +27,9 @@ |
37 |
type zabbix_var_run_t; |
38 |
files_pid_file(zabbix_var_run_t) |
39 |
|
40 |
+type zabbix_tmpfs_t; |
41 |
+files_tmpfs_file(zabbix_tmpfs_t); |
42 |
+ |
43 |
######################################## |
44 |
# |
45 |
# zabbix local policy |
46 |
@@ -27,7 +37,11 @@ |
47 |
|
48 |
allow zabbix_t self:capability { setuid setgid }; |
49 |
allow zabbix_t self:fifo_file rw_file_perms; |
50 |
+allow zabbix_t self:process { setsched getsched signal }; |
51 |
allow zabbix_t self:unix_stream_socket create_stream_socket_perms; |
52 |
+allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file |
53 |
+allow zabbix_t self:shm create_shm_perms; |
54 |
+allow zabbix_t self:tcp_socket create_stream_socket_perms; |
55 |
|
56 |
# log files |
57 |
allow zabbix_t zabbix_log_t:dir setattr; |
58 |
@@ -39,14 +53,81 @@ |
59 |
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) |
60 |
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) |
61 |
|
62 |
+sysnet_dns_name_resolve(zabbix_t) |
63 |
+ |
64 |
+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file }) |
65 |
+manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t) |
66 |
+ |
67 |
+# configuration file |
68 |
files_read_etc_files(zabbix_t) |
69 |
|
70 |
miscfiles_read_localization(zabbix_t) |
71 |
+corenet_tcp_bind_generic_node(zabbix_t) |
72 |
+corenet_tcp_bind_zabbix_port(zabbix_t) |
73 |
+ |
74 |
+gentoo_zabbix_agent_tcp_connect(zabbix_t) |
75 |
|
76 |
optional_policy(` |
77 |
+ # Support MySQL connectivity both local (stream) and through network (tcp) |
78 |
mysql_stream_connect(zabbix_t) |
79 |
+ mysql_tcp_connect(zabbix_t) |
80 |
') |
81 |
|
82 |
optional_policy(` |
83 |
postgresql_stream_connect(zabbix_t) |
84 |
') |
85 |
+ |
86 |
+######################################## |
87 |
+# |
88 |
+# zabbix agent local policy |
89 |
+# |
90 |
+ |
91 |
+allow zabbix_agent_t self:capability { setuid setgid }; |
92 |
+allow zabbix_agent_t self:process { setsched getsched signal }; |
93 |
+allow zabbix_agent_t self:fifo_file rw_file_perms; |
94 |
+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; |
95 |
+allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file |
96 |
+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; |
97 |
+allow zabbix_agent_t self:shm create_shm_perms; |
98 |
+ |
99 |
+## Rules relating to the objects managed by this policy file |
100 |
+# Logging access |
101 |
+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) |
102 |
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) |
103 |
+# PID file management |
104 |
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) |
105 |
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) |
106 |
+# Port access |
107 |
+gentoo_zabbix_tcp_connect(zabbix_agent_t) |
108 |
+# Shared memory |
109 |
+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) |
110 |
+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) |
111 |
+ |
112 |
+## kernel layer module calls |
113 |
+kernel_read_all_sysctls(zabbix_agent_t) |
114 |
+kernel_read_system_state(zabbix_agent_t) |
115 |
+#corecmd_exec_bin(zabbix_agent_t) |
116 |
+#corecmd_exec_shell(zabbix_agent_t) |
117 |
+corecmd_read_all_executables(zabbix_agent_t) |
118 |
+corenet_tcp_bind_generic_node(zabbix_agent_t) |
119 |
+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) |
120 |
+corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests |
121 |
+corenet_tcp_connect_zabbix_port(zabbix_agent_t) |
122 |
+dev_getattr_all_blk_files(zabbix_agent_t) |
123 |
+dev_getattr_all_chr_files(zabbix_agent_t) |
124 |
+domain_search_all_domains_state(zabbix_agent_t) |
125 |
+files_read_all_symlinks(zabbix_agent_t) |
126 |
+files_read_etc_files(zabbix_agent_t) |
127 |
+files_getattr_all_dirs(zabbix_agent_t) |
128 |
+files_getattr_all_files(zabbix_agent_t) |
129 |
+fs_getattr_all_fs(zabbix_agent_t) |
130 |
+ |
131 |
+## system layer module calls |
132 |
+#hostname_exec(zabbix_agent_t) |
133 |
+init_read_utmp(zabbix_agent_t) |
134 |
+logging_search_logs(zabbix_agent_t) |
135 |
+miscfiles_read_localization(zabbix_agent_t) |
136 |
+sysnet_dns_name_resolve(zabbix_agent_t) |
137 |
+ |
138 |
+## other modules |
139 |
+#ssh_exec(zabbix_agent_t) |
140 |
--- services/zabbix.fc 2010-08-03 15:11:09.000000000 +0200 |
141 |
+++ services/zabbix.fc 2011-06-12 20:12:49.376002444 +0200 |
142 |
@@ -1,6 +1,8 @@ |
143 |
/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) |
144 |
+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) |
145 |
|
146 |
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) |
147 |
+/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) |
148 |
+/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) |
149 |
|
150 |
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) |