From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 13 Jun 2011 10:40:17 +0200 Subject: [refpolicy] [PATCH 7/7] Allow zabbix agent to query system state and other monitorable aspects In-Reply-To: <20110613083553.GG18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> <20110613083412.GF18072@siphos.be> <20110613083553.GG18072@siphos.be> Message-ID: <20110613084017.GH18072@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The zabbix agent is responsible for collecting the system state and other monitorable aspects. This include - information from /proc - read attributes of various files (tamper detection) - connect to the ssh service (check if it is reachable) - get file system information - read login information - ... It should be noted that the agent can do a lot more, depending on the target system (what is being monitored) and the running services. The allowed privileges here will in the future expand more as more templates are checked. Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.te | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index ec4fccd..939d827 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -104,9 +104,24 @@ rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, { dir file }) ## kernel layer module calls +kernel_read_all_sysctls(zabbix_agent_t) +kernel_read_system_state(zabbix_agent_t) +corecmd_read_all_executables(zabbix_agent_t) corenet_tcp_bind_generic_node(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) +domain_search_all_domains_state(zabbix_agent_t) +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbxi_agent_t) +files_read_all_symlinks(zabbix_agent_t) +files_read_etc_files(zabbix_agent_t) +fs_getattr_all_fs(zabbix_agent_t) ## system layer module calls +init_read_utmp(zabbix_agent_t) +logging_search_logs(zabbix_agent_t) +miscfiles_read_localization(zabbix_agent_t) sysnet_dns_name_resolve(zabbix_agent_t) -- 1.7.3.4