diff --git a/Changelog b/Changelog index 9f156e66..c19c771a 100644 --- a/Changelog +++ b/Changelog @@ -52,6 +52,7 @@ - Added modules: consolekit (Dan Walsh) fail2ban (Dan Walsh) + zabbix (Dan Walsh) * Tue Dec 12 2006 Chris PeBenito - 20061212 - Add policy patterns support macros. This changes the behavior of diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc new file mode 100644 index 00000000..ec240724 --- /dev/null +++ b/policy/modules/services/zabbix.fc @@ -0,0 +1,5 @@ +/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) + +/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + +/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if new file mode 100644 index 00000000..0bab20b8 --- /dev/null +++ b/policy/modules/services/zabbix.if @@ -0,0 +1,78 @@ +## Distributed infrastructure monitoring + +######################################## +## +## Execute a domain transition to run zabbix. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`zabbix_domtrans',` + gen_require(` + type zabbix_t, zabbix_exec_t; + ') + + domtrans_pattern($1,zabbix_exec_t,zabbix_t) +') + +######################################## +## +## Allow the specified domain to read zabbix's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`zabbix_read_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1,zabbix_log_t,zabbix_log_t) +') + +######################################## +## +## Allow the specified domain to append +## zabbix log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zabbix_append_log',` + gen_require(` + type var_log_t, zabbix_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1,zabbix_log_t,zabbix_log_t) +') + +######################################## +## +## Read zabbix PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`zabbix_read_pid_files',` + gen_require(` + type zabbix_var_run_t; + ') + + files_search_pids($1) + allow $1 zabbix_var_run_t:file read_file_perms; +') diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te new file mode 100644 index 00000000..ca643b64 --- /dev/null +++ b/policy/modules/services/zabbix.te @@ -0,0 +1,57 @@ + +policy_module(zabbix,1.0.0) + +######################################## +# +# Declarations +# + +type zabbix_t; +type zabbix_exec_t; +init_daemon_domain(zabbix_t, zabbix_exec_t) + +# log files +type zabbix_log_t; +logging_log_file(zabbix_log_t) + +# pid files +type zabbix_var_run_t; +files_pid_file(zabbix_var_run_t) + +######################################## +# +# zabbix local policy +# + +allow zabbix_t self:capability { setuid setgid }; +allow zabbix_t self:fifo_file rw_file_perms; +allow zabbix_t self:unix_stream_socket create_stream_socket_perms; + +# log files +allow zabbix_t zabbix_log_t:dir setattr; +manage_files_pattern(zabbix_t,zabbix_log_t,zabbix_log_t) +logging_log_filetrans(zabbix_t,zabbix_log_t,file) + +# pid file +manage_files_pattern(zabbix_t,zabbix_var_run_t,zabbix_var_run_t) +files_pid_filetrans(zabbix_t,zabbix_var_run_t, file) + +files_read_etc_files(zabbix_t) + +libs_use_ld_so(zabbix_t) +libs_use_shared_libs(zabbix_t) + +miscfiles_read_localization(zabbix_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(zabbix_t) + term_dontaudit_use_generic_ptys(zabbix_t) +') + +optional_policy(` + mysql_stream_connect(zabbix_t) +') + +optional_policy(` + postgresql_stream_connect(zabbix_t) +')