From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 13 Jun 2011 12:22:16 +0200 Subject: [refpolicy] [PATCH 4/7] Support different domain for zabbix agent (start with skeleton) In-Reply-To: <20110613101151.GB26655@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> <20110613101151.GB26655@siphos.be> Message-ID: <20110613102216.GA27360@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Jun 13, 2011 at 10:31:36AM +0200, Sven Vermeulen wrote: > The zabbix agent should be confined within its own domain. We start with the > definition of a small(er) skeleton to work from. This includes proper file > context definitions, standard interdomain privileges (which are quite > similar to those of the server) and the proper log- and pid access > privileges. Same as with PATCH 2/7: we do not need the dir support in the fs_tmpfs_filetrans here. Update patch to only include file-based transition. Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.fc | 4 +++- policy/modules/services/zabbix.te | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc index 3102286..125529a 100644 --- a/policy/modules/services/zabbix.fc +++ b/policy/modules/services/zabbix.fc @@ -1,6 +1,8 @@ /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) -/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 839422c..83bb522 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -9,9 +9,16 @@ type zabbix_t; type zabbix_exec_t; init_daemon_domain(zabbix_t, zabbix_exec_t) +type zabbix_agent_t; +type zabbix_agent_exec_t; +init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + type zabbix_initrc_exec_t; init_script_file(zabbix_initrc_exec_t) +type zabbix_agent_initrc_exec_t; +init_script_file(zabbix_agent_initrc_exec_t) + # log files type zabbix_log_t; logging_log_file(zabbix_log_t) @@ -65,3 +72,31 @@ optional_policy(` optional_policy(` postgresql_stream_connect(zabbix_t) ') + +######################################## +# +# zabbix agent local policy +# + +allow zabbix_agent_t self:capability { setuid setgid }; +allow zabbix_agent_t self:process { setsched getsched signal }; +allow zabbix_agent_t self:fifo_file rw_file_perms; +allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; +allow zabbix_agent_t self:sem create_sem_perms; +allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; +allow zabbix_agent_t self:shm create_shm_perms; + +## Rules relating to the objects managed by this policy file +# Logging access +filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) +manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) +# PID file management +manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) +# Shared memory +rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + +## kernel layer module calls + +## system layer module calls -- 1.7.3.4