[gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch - gentoo-commits

From:	"Anthony G. Basile (blueness)" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch
Date:	Thu, 30 Jun 2011 10:04:29
Message-Id:	`20110630100418.BAAC120057@flycatcher.gentoo.org`

1

blueness    11/06/30 10:04:18

2

3

  Added:                fix-services-zabbix-r1.patch

4

  Log:

5

  Make sure zabbix agent works, bump to EAPI=4

6

7

  (Portage version: 2.1.9.42/cvs/Linux x86_64)

8

9

Revision  Changes    Path

10

1.1                  sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&content-type=text/plain

14

15

Index: fix-services-zabbix-r1.patch

16

===================================================================

17

--- services/zabbix.te	2010-12-13 15:11:02.000000000 +0100

18

+++ services/zabbix.te	2011-06-13 11:44:56.271000342 +0200

19

@@ -9,9 +9,16 @@

20

 type zabbix_exec_t;

21

 init_daemon_domain(zabbix_t, zabbix_exec_t)

22

23

+type zabbix_agent_t;

24

+type zabbix_agent_exec_t;

25

+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)

26

+

27

 type zabbix_initrc_exec_t;

28

 init_script_file(zabbix_initrc_exec_t)

29

30

+type zabbix_agent_initrc_exec_t;

31

+init_script_file(zabbix_agent_initrc_exec_t)

32

+

33

 # log files

34

 type zabbix_log_t;

35

 logging_log_file(zabbix_log_t)

36

@@ -20,6 +27,9 @@

37

 type zabbix_var_run_t;

38

 files_pid_file(zabbix_var_run_t)

39

40

+type zabbix_tmpfs_t;

41

+files_tmpfs_file(zabbix_tmpfs_t);

42

+

43

 ########################################

44

#

45

 # zabbix local policy

46

@@ -27,7 +37,11 @@

47

48

 allow zabbix_t self:capability { setuid setgid };

49

 allow zabbix_t self:fifo_file rw_file_perms;

50

+allow zabbix_t self:process { setsched getsched signal };

51

 allow zabbix_t self:unix_stream_socket create_stream_socket_perms;

52

+allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file

53

+allow zabbix_t self:shm create_shm_perms;

54

+allow zabbix_t self:tcp_socket create_stream_socket_perms;

55

56

 # log files

57

 allow zabbix_t zabbix_log_t:dir setattr;

58

@@ -39,14 +53,81 @@

59

 manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)

60

 files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })

61

62

+sysnet_dns_name_resolve(zabbix_t)

63

+

64

+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file })

65

+manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t)

66

+

67

+# configuration file

68

 files_read_etc_files(zabbix_t)

69

70

 miscfiles_read_localization(zabbix_t)

71

+corenet_tcp_bind_generic_node(zabbix_t)

72

+corenet_tcp_bind_zabbix_port(zabbix_t)

73

+

74

+gentoo_zabbix_agent_tcp_connect(zabbix_t)

75

76

 optional_policy(`

77

+	# Support MySQL connectivity both local (stream) and through network (tcp)

78

 	mysql_stream_connect(zabbix_t)

79

+	mysql_tcp_connect(zabbix_t)

80

')

81

82

 optional_policy(`

83

 	postgresql_stream_connect(zabbix_t)

84

')

85

+

86

+########################################

87

+#

88

+# zabbix agent local policy

89

+#

90

+

91

+allow zabbix_agent_t self:capability { setuid setgid };

92

+allow zabbix_agent_t self:process { setsched getsched signal };

93

+allow zabbix_agent_t self:fifo_file rw_file_perms;

94

+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;

95

+allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file

96

+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;

97

+allow zabbix_agent_t self:shm create_shm_perms;

98

+

99

+## Rules relating to the objects managed by this policy file

100

+# Logging access

101

+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)

102

+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)

103

+# PID file management

104

+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)

105

+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)

106

+# Port access

107

+gentoo_zabbix_tcp_connect(zabbix_agent_t) 

108

+# Shared memory

109

+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)

110

+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)

111

+

112

+## kernel layer module calls

113

+kernel_read_all_sysctls(zabbix_agent_t)

114

+kernel_read_system_state(zabbix_agent_t)

115

+#corecmd_exec_bin(zabbix_agent_t)

116

+#corecmd_exec_shell(zabbix_agent_t)

117

+corecmd_read_all_executables(zabbix_agent_t)

118

+corenet_tcp_bind_generic_node(zabbix_agent_t)

119

+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)

120

+corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests

121

+corenet_tcp_connect_zabbix_port(zabbix_agent_t)

122

+dev_getattr_all_blk_files(zabbix_agent_t)

123

+dev_getattr_all_chr_files(zabbix_agent_t)

124

+domain_search_all_domains_state(zabbix_agent_t)

125

+files_read_all_symlinks(zabbix_agent_t)

126

+files_read_etc_files(zabbix_agent_t)

127

+files_getattr_all_dirs(zabbix_agent_t)

128

+files_getattr_all_files(zabbix_agent_t)

129

+fs_getattr_all_fs(zabbix_agent_t)

130

+

131

+## system layer module calls

132

+#hostname_exec(zabbix_agent_t)

133

+init_read_utmp(zabbix_agent_t)

134

+logging_search_logs(zabbix_agent_t)

135

+miscfiles_read_localization(zabbix_agent_t) 

136

+sysnet_dns_name_resolve(zabbix_agent_t)

137

+

138

+## other modules

139

+#ssh_exec(zabbix_agent_t)

140

--- services/zabbix.fc	2010-08-03 15:11:09.000000000 +0200

141

+++ services/zabbix.fc	2011-06-12 20:12:49.376002444 +0200

142

@@ -1,6 +1,8 @@

143

 /etc/rc\.d/init\.d/zabbix --	gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)

144

+/etc/rc\.d/init\.d/zabbix-agentd --	gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)

145

146

-/usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)

147

+/usr/(s)?bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)

148

+/usr/(s)?bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)

149

150

 /var/log/zabbix(/.*)?		gen_context(system_u:object_r:zabbix_log_t,s0)

1	blueness 11/06/30 10:04:18
2
3	Added: fix-services-zabbix-r1.patch
4	Log:
5	Make sure zabbix agent works, bump to EAPI=4
6
7	(Portage version: 2.1.9.42/cvs/Linux x86_64)
8
9	Revision Changes Path
10	1.1 sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&content-type=text/plain
14
15	Index: fix-services-zabbix-r1.patch
16	===================================================================
17	--- services/zabbix.te 2010-12-13 15:11:02.000000000 +0100
18	+++ services/zabbix.te 2011-06-13 11:44:56.271000342 +0200
19	@@ -9,9 +9,16 @@
20	type zabbix_exec_t;
21	init_daemon_domain(zabbix_t, zabbix_exec_t)
22
23	+type zabbix_agent_t;
24	+type zabbix_agent_exec_t;
25	+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
26	+
27	type zabbix_initrc_exec_t;
28	init_script_file(zabbix_initrc_exec_t)
29
30	+type zabbix_agent_initrc_exec_t;
31	+init_script_file(zabbix_agent_initrc_exec_t)
32	+
33	# log files
34	type zabbix_log_t;
35	logging_log_file(zabbix_log_t)
36	@@ -20,6 +27,9 @@
37	type zabbix_var_run_t;
38	files_pid_file(zabbix_var_run_t)
39
40	+type zabbix_tmpfs_t;
41	+files_tmpfs_file(zabbix_tmpfs_t);
42	+
43	########################################
44	#
45	# zabbix local policy
46	@@ -27,7 +37,11 @@
47
48	allow zabbix_t self:capability { setuid setgid };
49	allow zabbix_t self:fifo_file rw_file_perms;
50	+allow zabbix_t self:process { setsched getsched signal };
51	allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
52	+allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file
53	+allow zabbix_t self:shm create_shm_perms;
54	+allow zabbix_t self:tcp_socket create_stream_socket_perms;
55
56	# log files
57	allow zabbix_t zabbix_log_t:dir setattr;
58	@@ -39,14 +53,81 @@
59	manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
60	files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
61
62	+sysnet_dns_name_resolve(zabbix_t)
63	+
64	+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file })
65	+manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t)
66	+
67	+# configuration file
68	files_read_etc_files(zabbix_t)
69
70	miscfiles_read_localization(zabbix_t)
71	+corenet_tcp_bind_generic_node(zabbix_t)
72	+corenet_tcp_bind_zabbix_port(zabbix_t)
73	+
74	+gentoo_zabbix_agent_tcp_connect(zabbix_t)
75
76	optional_policy(`
77	+ # Support MySQL connectivity both local (stream) and through network (tcp)
78	mysql_stream_connect(zabbix_t)
79	+ mysql_tcp_connect(zabbix_t)
80	')
81
82	optional_policy(`
83	postgresql_stream_connect(zabbix_t)
84	')
85	+
86	+########################################
87	+#
88	+# zabbix agent local policy
89	+#
90	+
91	+allow zabbix_agent_t self:capability { setuid setgid };
92	+allow zabbix_agent_t self:process { setsched getsched signal };
93	+allow zabbix_agent_t self:fifo_file rw_file_perms;
94	+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
95	+allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file
96	+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;
97	+allow zabbix_agent_t self:shm create_shm_perms;
98	+
99	+## Rules relating to the objects managed by this policy file
100	+# Logging access
101	+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
102	+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
103	+# PID file management
104	+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
105	+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
106	+# Port access
107	+gentoo_zabbix_tcp_connect(zabbix_agent_t)
108	+# Shared memory
109	+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
110	+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
111	+
112	+## kernel layer module calls
113	+kernel_read_all_sysctls(zabbix_agent_t)
114	+kernel_read_system_state(zabbix_agent_t)
115	+#corecmd_exec_bin(zabbix_agent_t)
116	+#corecmd_exec_shell(zabbix_agent_t)
117	+corecmd_read_all_executables(zabbix_agent_t)
118	+corenet_tcp_bind_generic_node(zabbix_agent_t)
119	+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
120	+corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests
121	+corenet_tcp_connect_zabbix_port(zabbix_agent_t)
122	+dev_getattr_all_blk_files(zabbix_agent_t)
123	+dev_getattr_all_chr_files(zabbix_agent_t)
124	+domain_search_all_domains_state(zabbix_agent_t)
125	+files_read_all_symlinks(zabbix_agent_t)
126	+files_read_etc_files(zabbix_agent_t)
127	+files_getattr_all_dirs(zabbix_agent_t)
128	+files_getattr_all_files(zabbix_agent_t)
129	+fs_getattr_all_fs(zabbix_agent_t)
130	+
131	+## system layer module calls
132	+#hostname_exec(zabbix_agent_t)
133	+init_read_utmp(zabbix_agent_t)
134	+logging_search_logs(zabbix_agent_t)
135	+miscfiles_read_localization(zabbix_agent_t)
136	+sysnet_dns_name_resolve(zabbix_agent_t)
137	+
138	+## other modules
139	+#ssh_exec(zabbix_agent_t)
140	--- services/zabbix.fc 2010-08-03 15:11:09.000000000 +0200
141	+++ services/zabbix.fc 2011-06-12 20:12:49.376002444 +0200
142	@@ -1,6 +1,8 @@
143	/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
144	+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
145
146	-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
147	+/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
148	+/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
149
150	/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)

Gentoo Archives: gentoo-commits