diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2011-06-30 10:04:18 +0000 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2011-06-30 10:04:18 +0000 |
| commit | c529210e6c9e152b24085271ef4de2133963198d (patch) | |
| tree | d7bafaa7ad0a526e8badb341565696e7404b039f /sec-policy | |
| parent | Stable on amd64 wrt bug #373155 (diff) | |
| download | gentoo-2-c529210e6c9e152b24085271ef4de2133963198d.tar.gz gentoo-2-c529210e6c9e152b24085271ef4de2133963198d.tar.bz2 gentoo-2-c529210e6c9e152b24085271ef4de2133963198d.zip | |
Make sure zabbix agent works, bump to EAPI=4
(Portage version: 2.1.9.42/cvs/Linux x86_64)
Diffstat (limited to 'sec-policy')
| -rw-r--r-- | sec-policy/selinux-zabbix/ChangeLog | 8 | ||||
| -rw-r--r-- | sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch | 135 | ||||
| -rw-r--r-- | sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild | 16 |
3 files changed, 158 insertions, 1 deletions
diff --git a/sec-policy/selinux-zabbix/ChangeLog b/sec-policy/selinux-zabbix/ChangeLog index 0ad51db87697..b89042ad4b39 100644 --- a/sec-policy/selinux-zabbix/ChangeLog +++ b/sec-policy/selinux-zabbix/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for sec-policy/selinux-zabbix # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/ChangeLog,v 1.2 2011/06/02 13:12:38 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/ChangeLog,v 1.3 2011/06/30 10:04:18 blueness Exp $ + +*selinux-zabbix-2.20101213-r1 (30 Jun 2011) + + 30 Jun 2011; Anthony G. Basile <blueness@gentoo.org> + +files/fix-services-zabbix-r1.patch, +selinux-zabbix-2.20101213-r1.ebuild: + Make sure zabbix agent works, bump to EAPI=4 02 Jun 2011; Anthony G. Basile <blueness@gentoo.org> selinux-zabbix-2.20101213.ebuild: diff --git a/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch b/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch new file mode 100644 index 000000000000..a6b6593358a9 --- /dev/null +++ b/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch @@ -0,0 +1,135 @@ +--- services/zabbix.te 2010-12-13 15:11:02.000000000 +0100 ++++ services/zabbix.te 2011-06-13 11:44:56.271000342 +0200 +@@ -9,9 +9,16 @@ + type zabbix_exec_t; + init_daemon_domain(zabbix_t, zabbix_exec_t) + ++type zabbix_agent_t; ++type zabbix_agent_exec_t; ++init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) ++ + type zabbix_initrc_exec_t; + init_script_file(zabbix_initrc_exec_t) + ++type zabbix_agent_initrc_exec_t; ++init_script_file(zabbix_agent_initrc_exec_t) ++ + # log files + type zabbix_log_t; + logging_log_file(zabbix_log_t) +@@ -20,6 +27,9 @@ + type zabbix_var_run_t; + files_pid_file(zabbix_var_run_t) + ++type zabbix_tmpfs_t; ++files_tmpfs_file(zabbix_tmpfs_t); ++ + ######################################## + # + # zabbix local policy +@@ -27,7 +37,11 @@ + + allow zabbix_t self:capability { setuid setgid }; + allow zabbix_t self:fifo_file rw_file_perms; ++allow zabbix_t self:process { setsched getsched signal }; + allow zabbix_t self:unix_stream_socket create_stream_socket_perms; ++allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file ++allow zabbix_t self:shm create_shm_perms; ++allow zabbix_t self:tcp_socket create_stream_socket_perms; + + # log files + allow zabbix_t zabbix_log_t:dir setattr; +@@ -39,14 +53,81 @@ + manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + ++sysnet_dns_name_resolve(zabbix_t) ++ ++fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file }) ++manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t) ++ ++# configuration file + files_read_etc_files(zabbix_t) + + miscfiles_read_localization(zabbix_t) ++corenet_tcp_bind_generic_node(zabbix_t) ++corenet_tcp_bind_zabbix_port(zabbix_t) ++ ++gentoo_zabbix_agent_tcp_connect(zabbix_t) + + optional_policy(` ++ # Support MySQL connectivity both local (stream) and through network (tcp) + mysql_stream_connect(zabbix_t) ++ mysql_tcp_connect(zabbix_t) + ') + + optional_policy(` + postgresql_stream_connect(zabbix_t) + ') ++ ++######################################## ++# ++# zabbix agent local policy ++# ++ ++allow zabbix_agent_t self:capability { setuid setgid }; ++allow zabbix_agent_t self:process { setsched getsched signal }; ++allow zabbix_agent_t self:fifo_file rw_file_perms; ++allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; ++allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file ++allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; ++allow zabbix_agent_t self:shm create_shm_perms; ++ ++## Rules relating to the objects managed by this policy file ++# Logging access ++filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) ++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) ++# PID file management ++manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) ++files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) ++# Port access ++gentoo_zabbix_tcp_connect(zabbix_agent_t) ++# Shared memory ++rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) ++fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) ++ ++## kernel layer module calls ++kernel_read_all_sysctls(zabbix_agent_t) ++kernel_read_system_state(zabbix_agent_t) ++#corecmd_exec_bin(zabbix_agent_t) ++#corecmd_exec_shell(zabbix_agent_t) ++corecmd_read_all_executables(zabbix_agent_t) ++corenet_tcp_bind_generic_node(zabbix_agent_t) ++corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) ++corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests ++corenet_tcp_connect_zabbix_port(zabbix_agent_t) ++dev_getattr_all_blk_files(zabbix_agent_t) ++dev_getattr_all_chr_files(zabbix_agent_t) ++domain_search_all_domains_state(zabbix_agent_t) ++files_read_all_symlinks(zabbix_agent_t) ++files_read_etc_files(zabbix_agent_t) ++files_getattr_all_dirs(zabbix_agent_t) ++files_getattr_all_files(zabbix_agent_t) ++fs_getattr_all_fs(zabbix_agent_t) ++ ++## system layer module calls ++#hostname_exec(zabbix_agent_t) ++init_read_utmp(zabbix_agent_t) ++logging_search_logs(zabbix_agent_t) ++miscfiles_read_localization(zabbix_agent_t) ++sysnet_dns_name_resolve(zabbix_agent_t) ++ ++## other modules ++#ssh_exec(zabbix_agent_t) +--- services/zabbix.fc 2010-08-03 15:11:09.000000000 +0200 ++++ services/zabbix.fc 2011-06-12 20:12:49.376002444 +0200 +@@ -1,6 +1,8 @@ + /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + +-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + + /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + diff --git a/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild b/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild new file mode 100644 index 000000000000..280917a770a2 --- /dev/null +++ b/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild @@ -0,0 +1,16 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild,v 1.1 2011/06/30 10:04:18 blueness Exp $ +EAPI="4" + +IUSE="" + +MODS="zabbix" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for general applications" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-services-zabbix-r1.patch" |