From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 13 Jun 2011 10:20:06 +0200
Subject: [refpolicy] [PATCH 0/7] Updates on zabbix service
Message-ID: <20110613082006.GA18072@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Zabbix is an open-source/free software monitoring solution. A module already
exists in the refpolicy, but does not work properly. Also, the module does
not support a different domain for the agents (zabbix agents) although this
is greatly preferred.

The following set of patches introduce the following to this module set:

1. Zabbix server is a multi-process system requiring signals to be sent and
   (exclusive) locks to be taken where needed (for instance used with
   logging)
2. Zabbix servers use posix shared memory (using tmpfs backend), so create a
   zabbix_tmpfs_t domain and allow the server access to manage it
3. Zabbix uses a dedicated port (10051) for its server. Allow the servers to
   bind to it, and of course define it as a specific port in SELinux
4. Start with the definition of the zabbix_agent_t domain
5. Allow zabbix_agent to bind on its own port (10050) and connect to the
   zabbix server (for the regular metric submissions)
6. The zabbix server also needs to connect to the agent (for what Zabbix
   calls "active monitoring")
7. Give zabbix_agent_t the privileges it needs to scan the system (get
   system state, read files, check services, ...)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>