[gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch
@ 2011-06-30 10:04 Anthony G. Basile (blueness)
  0 siblings, 0 replies; 2+ messages in thread
From: Anthony G. Basile (blueness) @ 2011-06-30 10:04 UTC (permalink / raw
  To: gentoo-commits

blueness    11/06/30 10:04:18

  Added:                fix-services-zabbix-r1.patch
  Log:
  Make sure zabbix agent works, bump to EAPI=4
  
  (Portage version: 2.1.9.42/cvs/Linux x86_64)

Revision  Changes    Path
1.1                  sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch?rev=1.1&content-type=text/plain

Index: fix-services-zabbix-r1.patch
===================================================================
--- services/zabbix.te	2010-12-13 15:11:02.000000000 +0100
+++ services/zabbix.te	2011-06-13 11:44:56.271000342 +0200
@@ -9,9 +9,16 @@
 type zabbix_exec_t;
 init_daemon_domain(zabbix_t, zabbix_exec_t)
 
+type zabbix_agent_t;
+type zabbix_agent_exec_t;
+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
 type zabbix_initrc_exec_t;
 init_script_file(zabbix_initrc_exec_t)
 
+type zabbix_agent_initrc_exec_t;
+init_script_file(zabbix_agent_initrc_exec_t)
+
 # log files
 type zabbix_log_t;
 logging_log_file(zabbix_log_t)
@@ -20,6 +27,9 @@
 type zabbix_var_run_t;
 files_pid_file(zabbix_var_run_t)
 
+type zabbix_tmpfs_t;
+files_tmpfs_file(zabbix_tmpfs_t);
+
 ########################################
 #
 # zabbix local policy
@@ -27,7 +37,11 @@
 
 allow zabbix_t self:capability { setuid setgid };
 allow zabbix_t self:fifo_file rw_file_perms;
+allow zabbix_t self:process { setsched getsched signal };
 allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file
+allow zabbix_t self:shm create_shm_perms;
+allow zabbix_t self:tcp_socket create_stream_socket_perms;
 
 # log files
 allow zabbix_t zabbix_log_t:dir setattr;
@@ -39,14 +53,81 @@
 manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
 
+sysnet_dns_name_resolve(zabbix_t)
+
+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file })
+manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t)
+
+# configuration file
 files_read_etc_files(zabbix_t)
 
 miscfiles_read_localization(zabbix_t)
+corenet_tcp_bind_generic_node(zabbix_t)
+corenet_tcp_bind_zabbix_port(zabbix_t)
+
+gentoo_zabbix_agent_tcp_connect(zabbix_t)
 
 optional_policy(`
+	# Support MySQL connectivity both local (stream) and through network (tcp)
 	mysql_stream_connect(zabbix_t)
+	mysql_tcp_connect(zabbix_t)
 ')
 
 optional_policy(`
 	postgresql_stream_connect(zabbix_t)
 ')
+
+########################################
+#
+# zabbix agent local policy
+#
+
+allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:process { setsched getsched signal };
+allow zabbix_agent_t self:fifo_file rw_file_perms;
+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file
+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_agent_t self:shm create_shm_perms;
+
+## Rules relating to the objects managed by this policy file
+# Logging access
+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+# Port access
+gentoo_zabbix_tcp_connect(zabbix_agent_t) 
+# Shared memory
+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+
+## kernel layer module calls
+kernel_read_all_sysctls(zabbix_agent_t)
+kernel_read_system_state(zabbix_agent_t)
+#corecmd_exec_bin(zabbix_agent_t)
+#corecmd_exec_shell(zabbix_agent_t)
+corecmd_read_all_executables(zabbix_agent_t)
+corenet_tcp_bind_generic_node(zabbix_agent_t)
+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests
+corenet_tcp_connect_zabbix_port(zabbix_agent_t)
+dev_getattr_all_blk_files(zabbix_agent_t)
+dev_getattr_all_chr_files(zabbix_agent_t)
+domain_search_all_domains_state(zabbix_agent_t)
+files_read_all_symlinks(zabbix_agent_t)
+files_read_etc_files(zabbix_agent_t)
+files_getattr_all_dirs(zabbix_agent_t)
+files_getattr_all_files(zabbix_agent_t)
+fs_getattr_all_fs(zabbix_agent_t)
+
+## system layer module calls
+#hostname_exec(zabbix_agent_t)
+init_read_utmp(zabbix_agent_t)
+logging_search_logs(zabbix_agent_t)
+miscfiles_read_localization(zabbix_agent_t) 
+sysnet_dns_name_resolve(zabbix_agent_t)
+
+## other modules
+#ssh_exec(zabbix_agent_t)
--- services/zabbix.fc	2010-08-03 15:11:09.000000000 +0200
+++ services/zabbix.fc	2011-06-12 20:12:49.376002444 +0200
@@ -1,6 +1,8 @@
 /etc/rc\.d/init\.d/zabbix --	gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-agentd --	gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
 
-/usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
 
 /var/log/zabbix(/.*)?		gen_context(system_u:object_r:zabbix_log_t,s0)
 






^ permalink raw reply	[flat|nested] 2+ messages in thread

* [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch
@ 2011-11-12 20:53 Sven Vermeulen (swift)
  0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen (swift) @ 2011-11-12 20:53 UTC (permalink / raw
  To: gentoo-commits

swift       11/11/12 20:53:50

  Removed:              fix-services-zabbix-r1.patch
  Log:
  Removing the SELinux 2.20101213 policies
  
  (Portage version: 2.1.10.11/cvs/Linux x86_64)



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-11-12 21:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-12 20:53 [gentoo-commits] gentoo-x86 commit in sec-policy/selinux-zabbix/files: fix-services-zabbix-r1.patch Sven Vermeulen (swift)
  -- strict thread matches above, loose matches on Subject: below --
2011-06-30 10:04 Anthony G. Basile (blueness)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox