On Mon, Jun 13, 2011 at 10:31:36AM +0200, Sven Vermeulen wrote:
> The zabbix agent should be confined within its own domain. We start with the
> definition of a small(er) skeleton to work from. This includes proper file
> context definitions, standard interdomain privileges (which are quite
> similar to those of the server) and the proper log- and pid access
> privileges.
Same as with PATCH 2/7: we do not need the dir support in the
fs_tmpfs_filetrans here. Update patch to only include file-based transition.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/zabbix.fc | 4 +++-
policy/modules/services/zabbix.te | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
index 3102286..125529a 100644
--- a/policy/modules/services/zabbix.fc
+++ b/policy/modules/services/zabbix.fc
@@ -1,6 +1,8 @@
/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0)
-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 839422c..83bb522 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -9,9 +9,16 @@ type zabbix_t;
type zabbix_exec_t;
init_daemon_domain(zabbix_t, zabbix_exec_t)
+type zabbix_agent_t;
+type zabbix_agent_exec_t;
+init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
+
type zabbix_initrc_exec_t;
init_script_file(zabbix_initrc_exec_t)
+type zabbix_agent_initrc_exec_t;
+init_script_file(zabbix_agent_initrc_exec_t)
+
# log files
type zabbix_log_t;
logging_log_file(zabbix_log_t)
@@ -65,3 +72,31 @@ optional_policy(`
optional_policy(`
postgresql_stream_connect(zabbix_t)
')
+
+########################################
+#
+# zabbix agent local policy
+#
+
+allow zabbix_agent_t self:capability { setuid setgid };
+allow zabbix_agent_t self:process { setsched getsched signal };
+allow zabbix_agent_t self:fifo_file rw_file_perms;
+allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
+allow zabbix_agent_t self:sem create_sem_perms;
+allow zabbix_agent_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_agent_t self:shm create_shm_perms;
+
+## Rules relating to the objects managed by this policy file
+# Logging access
+filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+# Shared memory
+rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+
+## kernel layer module calls
+
+## system layer module calls
--
1.7.3.4