From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 15 Jun 2011 18:58:43 +0200 Subject: [refpolicy] [PATCH 6/7] Allow zabbix server to connect to agent (active monitoring) In-Reply-To: <20110613083553.GG18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> <20110613083412.GF18072@siphos.be> <20110613083553.GG18072@siphos.be> Message-ID: <20110615165842.GC17584@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The zabbix server also connects to the agents (this is called "active monitoring" in the zabbix terms). So we create a zabbix_agent_tcp_connect interface, use it for the zabbix_t domain and, since zabbix can use hostname-based connections, allow DNS resolving for the zabbix server. Update: Follow styleguide Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.if | 22 ++++++++++++++++++++++ policy/modules/services/zabbix.te | 15 ++++++++++++++- 2 files changed, 36 insertions(+), 1 deletions(-) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index e1cc9b5..3aa16ab 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -79,6 +79,28 @@ interface(`zabbix_read_pid_files',` ######################################## ## +## Allow connectivity to a zabbix agent +## +## +## +## Domain allowed access. +## +## +# +interface(`zabbix_agent_tcp_connect',` + gen_require(` + type zabbix_agent_t; + ') + + corenet_sendrecv_zabbix_agent_packets($1) + corenet_tcp_connect_zabbix_agent_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_agent_port($1) +') + + +######################################## +## ## Allow connectivity to the zabbix server ## ## diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index f0b241b..da44bfa 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -59,13 +59,26 @@ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -files_read_etc_files(zabbix_t) +# network access to zabbix agent +zabbix_agent_tcp_connect(zabbix_t) + +## Kernel layer module calls +# corenetwork module corenet_tcp_bind_generic_node(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) +# files module +files_read_etc_files(zabbix_t) + +## System layer module calls + +# miscfiles module miscfiles_read_localization(zabbix_t) +# sysnetwork module +sysnet_dns_name_resolve(zabbix_t) + optional_policy(` mysql_stream_connect(zabbix_t) ') -- 1.7.3.4