From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 13 Jun 2011 10:34:12 +0200
Subject: [refpolicy] [PATCH 5/7] Zabbix agent binds on its own port,
 connects to zabbix server
In-Reply-To: <20110613083136.GE18072@siphos.be>
References: <20110613082006.GA18072@siphos.be>
	<20110613082550.GB18072@siphos.be>
	<20110613082815.GC18072@siphos.be>
	<20110613082930.GD18072@siphos.be>
	<20110613083136.GE18072@siphos.be>
Message-ID: <20110613083412.GF18072@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The zabbix agent has its own dedicated port (10050) on which it needs to
bind/listen.

Also, the agent connects to the server so we add the zabbix_tcp_connect
interface (shamelessly copied from mysql_tcp_connect) and use it for the 
zabbix_agent_t domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/corenetwork.te.in |    1 +
 policy/modules/services/zabbix.if       |   21 +++++++++++++++++++++
 policy/modules/services/zabbix.te       |    6 ++++++
 3 files changed, 28 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index f4937b9..fb5dd13 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -224,6 +224,7 @@ network_port(xfs, tcp,7100,s0)
 network_port(xserver, tcp,6000-6020,s0)
 network_port(zarafa, tcp,236,s0, tcp,237,s0)
 network_port(zabbix, tcp,10051,s0)
+network_port(zabbix_agent, tcp,10050,s0)
 network_port(zookeeper_client, tcp,2181,s0)
 network_port(zookeeper_election, tcp,3888,s0)
 network_port(zookeeper_leader, tcp,2888,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index d77e631..7e37c21 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -79,6 +79,27 @@ interface(`zabbix_read_pid_files',`
 
 ########################################
 ## <summary>
+##      Allow connectivity to the zabbix server
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`zabbix_tcp_connect',`
+        gen_require(`
+                type zabbix_t;
+        ')
+
+        corenet_tcp_recvfrom_labeled($1, zabbix_t)
+        corenet_tcp_sendrecv_zabbix_port($1)
+        corenet_tcp_connect_zabbix_port($1)
+        corenet_sendrecv_zabbix_agent_packets($1)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an zabbix environment
 ## </summary>
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 83bb522..a5fc923 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -93,10 +93,16 @@ manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
 # PID file management
 manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+# Port access
+zabbix_tcp_connect(zabbix_agent_t)
 # Shared memory
 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
 fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, { dir file })
 
 ## kernel layer module calls
+corenet_tcp_bind_generic_node(zabbix_agent_t)
+corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
+corenet_tcp_connect_zabbix_port(zabbix_agent_t)
 
 ## system layer module calls
+sysnet_dns_name_resolve(zabbix_agent_t)
-- 
1.7.3.4