From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 13 Jun 2011 12:10:38 +0200
Subject: [refpolicy] [PATCH 2/7] Support shared memory
In-Reply-To: <20110613082815.GC18072@siphos.be>
References: <20110613082006.GA18072@siphos.be>
	<20110613082550.GB18072@siphos.be>
	<20110613082815.GC18072@siphos.be>
Message-ID: <20110613101037.GA26655@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 13, 2011 at 10:28:15AM +0200, Sven Vermeulen wrote:
> Zabbix servers use shared memory to keep common information and structures.
> This is implemented on tmpfs. We support this by introducing a
> zabbix_tmpfs_t type and allow the server proper access to it.

After a small discussion and a few more tests, drop the "dir" in
fs_tmpfs_filetrans. 

For posterity's sake, this is the denial one gets when no tmpfs_t related
privileges are given:

Jun 13 11:24:06 build kernel: [  213.054230] type=1400
audit(1307957046.001:106): avc:  denied  { read write } for  pid=3162
comm="zabbix_agentd" path=2F535953563663303132323534202864656C6574656429
dev=tmpfs ino=32768 scontext=system_u:system_r:zabbix_agent_t
tcontext=system_u:object_r:tmpfs_t tclass=file

With fs_tmpfs_filetrans(..., file) the same denial is given, but as
tcontext=zabbix_tmpfs_t. Hence the rw_files_pattern() enhancement.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/zabbix.te |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 3dd76ca..bec98e9 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -16,6 +16,10 @@ init_script_file(zabbix_initrc_exec_t)
 type zabbix_log_t;
 logging_log_file(zabbix_log_t)
 
+# shared memory
+type zabbix_tmpfs_t;
+files_tmpfs_file(zabbix_tmpfs_t);
+
 # pid files
 type zabbix_var_run_t;
 files_pid_file(zabbix_var_run_t)
@@ -30,6 +34,7 @@ allow zabbix_t self:fifo_file rw_file_perms;
 allow zabbix_t self:process { setsched getsched signal };
 allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
 allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:shm create_shm_perms;
 
 # log files
 allow zabbix_t zabbix_log_t:dir setattr;
@@ -41,6 +46,10 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
 manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
 
+# shared memory
+rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
+fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
+
 files_read_etc_files(zabbix_t)
 
 miscfiles_read_localization(zabbix_t)
-- 
1.7.3.4