From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 13 Jun 2011 10:29:30 +0200 Subject: [refpolicy] [PATCH 3/7] Define zabbix port and allow server to listen/bind on it In-Reply-To: <20110613082815.GC18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> Message-ID: <20110613082930.GD18072@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The zabbix server uses a dedicated port (10051). We define it and allow the zabbix server to bind/listen on it. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/services/zabbix.te | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 4676d6e..f4937b9 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -223,6 +223,7 @@ network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) +network_port(zabbix, tcp,10051,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index bec98e9..839422c 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -35,6 +35,7 @@ allow zabbix_t self:process { setsched getsched signal }; allow zabbix_t self:unix_stream_socket create_stream_socket_perms; allow zabbix_t self:sem create_sem_perms; allow zabbix_t self:shm create_shm_perms; +allow zabbix_t self:tcp_socket create_stream_socket_perms; # log files allow zabbix_t zabbix_log_t:dir setattr; @@ -52,6 +53,9 @@ fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file }) files_read_etc_files(zabbix_t) +corenet_tcp_bind_generic_node(zabbix_t) +corenet_tcp_bind_zabbix_port(zabbix_t) + miscfiles_read_localization(zabbix_t) optional_policy(` -- 1.7.3.4