From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 15 Jun 2011 18:56:35 +0200 Subject: [refpolicy] [PATCH 4/7] Support different domain for zabbix agent (start with skeleton) In-Reply-To: <20110613083136.GE18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> Message-ID: <20110615165634.GA17584@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The zabbix agent should be confined within its own domain. We start with the definition of a small(er) skeleton to work from. This includes proper file context definitions, standard interdomain privileges (which are quite similar to those of the server) and the proper log- and pid access privileges. Update: attempt to follow styleguide more closely Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.fc | 4 ++- policy/modules/services/zabbix.te | 39 +++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc index 3102286..fb88f70 100644 --- a/policy/modules/services/zabbix.fc +++ b/policy/modules/services/zabbix.fc @@ -1,6 +1,8 @@ /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) -/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_t,s0) /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 163f581..457aa2f 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -12,6 +12,14 @@ init_daemon_domain(zabbix_t, zabbix_exec_t) type zabbix_initrc_exec_t; init_script_file(zabbix_initrc_exec_t) +# agent definition +type zabbix_agent_t; +type zabbix_agent_exec_t; +init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +type zabbix_agent_initrc_exec_t; +init_script_file(zabbix_agent_initrc_exec_t) + # log files type zabbix_log_t; logging_log_file(zabbix_log_t) @@ -65,3 +73,34 @@ optional_policy(` optional_policy(` postgresql_stream_connect(zabbix_t) ') + +######################################## +# +# zabbix agent local policy +# + +allow zabbix_agent_t self:capability { setuid setgid }; +allow zabbix_agent_t self:process { setsched getsched signal }; +allow zabbix_agent_t self:fifo_file rw_file_perms; +allow zabbix_agent_t self:sem create_sem_perms; +allow zabbix_agent_t self:shm create_shm_perms; +allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; +allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; + +## Rules related to the types managed by this policy file + +# Logging access +filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) +manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) + +# PID file management +manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + +# Shared Memory support +rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + +## Kernel layer module calls + +## System layer module calls -- 1.7.3.4