From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 15 Jun 2011 14:20:18 -0400
Subject: [refpolicy] [PATCH 0/7] Updates on zabbix service
In-Reply-To: <20110613082006.GA18072@siphos.be>
References: <20110613082006.GA18072@siphos.be>
Message-ID: <4DF8F7E2.7010806@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/13/11 04:20, Sven Vermeulen wrote:
> Zabbix is an open-source/free software monitoring solution. A module already
> exists in the refpolicy, but does not work properly. Also, the module does
> not support a different domain for the agents (zabbix agents) although this
> is greatly preferred.
> 
> The following set of patches introduce the following to this module set:
> 
> 1. Zabbix server is a multi-process system requiring signals to be sent and
>    (exclusive) locks to be taken where needed (for instance used with
>    logging)
> 2. Zabbix servers use posix shared memory (using tmpfs backend), so create a
>    zabbix_tmpfs_t domain and allow the server access to manage it
> 3. Zabbix uses a dedicated port (10051) for its server. Allow the servers to
>    bind to it, and of course define it as a specific port in SELinux
> 4. Start with the definition of the zabbix_agent_t domain
> 5. Allow zabbix_agent to bind on its own port (10050) and connect to the
>    zabbix server (for the regular metric submissions)
> 6. The zabbix server also needs to connect to the agent (for what Zabbix
>    calls "active monitoring")
> 7. Give zabbix_agent_t the privileges it needs to scan the system (get
>    system state, read files, check services, ...)

Merged.  In the future, when you revise a patch set, please resend the
entire set.  Then I know for sure I have all of the up-to-date patches,
rather than digging through the replies for the right patch.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com