From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 15 Jun 2011 18:59:27 +0200 Subject: [refpolicy] [PATCH 7/7] Allow zabbix agent to query system state and other monitorable aspects In-Reply-To: <20110613084017.GH18072@siphos.be> References: <20110613082006.GA18072@siphos.be> <20110613082550.GB18072@siphos.be> <20110613082815.GC18072@siphos.be> <20110613082930.GD18072@siphos.be> <20110613083136.GE18072@siphos.be> <20110613083412.GF18072@siphos.be> <20110613083553.GG18072@siphos.be> <20110613084017.GH18072@siphos.be> Message-ID: <20110615165927.GD17584@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The zabbix agent is responsible for collecting the system state and other monitorable aspects. This include - information from /proc - read attributes of various files (tamper detection) - connect to the ssh service (check if it is reachable) - get file system information - read login information - ... It should be noted that the agent can do a lot more, depending on the target system (what is being monitored) and the running services. The allowed privileges here will in the future expand more as more templates are checked. Update: follow styleguide Signed-off-by: Sven Vermeulen --- policy/modules/services/zabbix.te | 38 +++++++++++++++++++++++++++++++++++++ 1 files changed, 38 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index da44bfa..df90d73 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -119,8 +119,46 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) ## Kernel layer module calls +# kernel module +kernel_read_all_sysctls(zabbix_agent_t) +kernel_read_system_state(zabbix_agent_t) + +# corecommands module +corecmd_read_all_executables(zabbix_agent_t) + +# corenetwork module +corenet_tcp_bind_generic_node(zabbix_agent_t) +corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) +corenet_tcp_connect_zabbix_port(zabbix_agent_t) + +# devices module +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) + +# domain module +domain_search_all_domains_state(zabbix_agent_t) + +# files module +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbix_agent_t) +files_read_all_symlinks(zabbix_agent_t) +files_read_etc_files(zabbix_agent_t) + +# filesystem module +fs_getattr_all_fs(zabbix_agent_t) + ## System layer module calls +# init module +init_read_utmp(zabbix_agent_t) + +# logging module +logging_search_logs(zabbix_agent_t) + +# miscfiles module +miscfiles_read_localization(zabbix_agent_t) + # sysnetwork module sysnet_dns_name_resolve(zabbix_agent_t) -- 1.7.3.4