From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 15 Jun 2011 09:26:45 -0400 Subject: [refpolicy] [PATCH 7/7] Allow zabbix agent to query system state and other monitorable aspects In-Reply-To: <20110613084017.GH18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> <20110613083412.GF18072@siphos.be> <20110613083553.GG18072@siphos.be> <20110613084017.GH18072@siphos.be> Message-ID: <4DF8B315.3060003@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/13/11 04:40, Sven Vermeulen wrote: > The zabbix agent is responsible for collecting the system state and other > monitorable aspects. This include > - information from /proc > - read attributes of various files (tamper detection) > - connect to the ssh service (check if it is reachable) > - get file system information > - read login information > - ... > > It should be noted that the agent can do a lot more, depending on the target > system (what is being monitored) and the running services. The allowed > privileges here will in the future expand more as more templates are > checked. The style in this patch (and the others adding zabbix_agent_t) needs to be cleaned up. > Signed-off-by: Sven Vermeulen > --- > policy/modules/services/zabbix.te | 15 +++++++++++++++ > 1 files changed, 15 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te > index ec4fccd..939d827 100644 > --- a/policy/modules/services/zabbix.te > +++ b/policy/modules/services/zabbix.te > @@ -104,9 +104,24 @@ rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) > fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, { dir file }) > > ## kernel layer module calls > +kernel_read_all_sysctls(zabbix_agent_t) > +kernel_read_system_state(zabbix_agent_t) > +corecmd_read_all_executables(zabbix_agent_t) > corenet_tcp_bind_generic_node(zabbix_agent_t) > corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) > +corenet_tcp_connect_ssh_port(zabbix_agent_t) > corenet_tcp_connect_zabbix_port(zabbix_agent_t) > +dev_getattr_all_blk_files(zabbix_agent_t) > +dev_getattr_all_chr_files(zabbix_agent_t) > +domain_search_all_domains_state(zabbix_agent_t) > +files_getattr_all_dirs(zabbix_agent_t) > +files_getattr_all_files(zabbxi_agent_t) > +files_read_all_symlinks(zabbix_agent_t) > +files_read_etc_files(zabbix_agent_t) > +fs_getattr_all_fs(zabbix_agent_t) > > ## system layer module calls > +init_read_utmp(zabbix_agent_t) > +logging_search_logs(zabbix_agent_t) > +miscfiles_read_localization(zabbix_agent_t) > sysnet_dns_name_resolve(zabbix_agent_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com