From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l3BIpuXG008755 for ; Wed, 11 Apr 2007 14:51:56 -0400 Received: from exchange.columbia.tresys.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with SMTP id l3BIpsGQ024044 for ; Wed, 11 Apr 2007 18:51:55 GMT Subject: Re: Zabbix policy From: "Christopher J. PeBenito" To: Daniel J Walsh Cc: SE Linux In-Reply-To: <46042A0D.5050309@redhat.com> References: <46042A0D.5050309@redhat.com> Content-Type: text/plain Date: Wed, 11 Apr 2007 14:52:28 -0400 Message-Id: <1176317548.9840.53.camel@sgc> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Fri, 2007-03-23 at 15:27 -0400, Daniel J Walsh wrote: > New pocicy for zabbix. Merged. Added a postgreqsql stream connect, as their webpage says it can store its data in postgres, in addition to mysql. > > > > > > > differences > between files > attachment > (zabbix.patch), > "zabbix.patch" > > --- nsaserefpolicy/policy/modules/services/zabbix.fc 1969-12-31 19:00:00.000000000 -0500 > +++ serefpolicy-2.5.10/policy/modules/services/zabbix.fc 2007-03-22 15:06:59.000000000 -0400 > @@ -0,0 +1,4 @@ > + > +/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) > +/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) > +/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) > --- nsaserefpolicy/policy/modules/services/zabbix.if 1969-12-31 19:00:00.000000000 -0500 > +++ serefpolicy-2.5.10/policy/modules/services/zabbix.if 2007-03-22 15:06:59.000000000 -0400 > @@ -0,0 +1,87 @@ > + > +## policy for zabbix > + > +######################################## > +## > +## Execute a domain transition to run zabbix. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`zabbix_domtrans',` > + gen_require(` > + type zabbix_t, zabbix_exec_t; > + ') > + > + domain_auto_trans($1,zabbix_exec_t,zabbix_t) > + > + allow zabbix_t $1:fd use; > + allow zabbix_t $1:fifo_file rw_file_perms; > + allow zabbix_t $1:process sigchld; > +') > + > +######################################## > +## > +## Read zabbix PID files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`zabbix_read_pid_files',` > + gen_require(` > + type zabbix_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 zabbix_var_run_t:file r_file_perms; > +') > + > + > +######################################## > +## > +## Allow the specified domain to read zabbix's log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`zabbix_read_log',` > + gen_require(` > + type zabbix_log_t; > + ') > + > + logging_search_logs($1) > + allow $1 zabbix_log_t:dir r_dir_perms; > + allow $1 zabbix_log_t:file { read getattr lock }; > +') > + > +######################################## > +## > +## Allow the specified domain to append > +## zabbix log files. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`zabbix_append_log',` > + gen_require(` > + type var_log_t, zabbix_log_t; > + ') > + > + logging_search_logs($1) > + allow $1 zabbix_log_t:dir r_dir_perms; > + allow $1 zabbix_log_t:file { getattr append }; > +') > + > --- nsaserefpolicy/policy/modules/services/zabbix.te 1969-12-31 19:00:00.000000000 -0500 > +++ serefpolicy-2.5.10/policy/modules/services/zabbix.te 2007-03-22 15:06:59.000000000 -0400 > @@ -0,0 +1,64 @@ > +policy_module(zabbix,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type zabbix_t; > +type zabbix_exec_t; > +domain_type(zabbix_t) > +init_daemon_domain(zabbix_t, zabbix_exec_t) > + > +# pid files > +type zabbix_var_run_t; > +files_pid_file(zabbix_var_run_t) > + > +# log files > +type zabbix_log_t; > +logging_log_file(zabbix_log_t) > + > +######################################## > +# > +# zabbix local policy > +# > +# Check in /usr/share/selinux/devel/include for macros to use instead of allow rules. > + > +# Init script handling > + > + > +domain_use_interactive_fds(zabbix_t) > + > +allow zabbix_t self:capability { setuid setgid }; > + > +## internal communication is often done using fifo and unix sockets. > +allow zabbix_t self:fifo_file rw_file_perms; > +allow zabbix_t self:unix_stream_socket create_stream_socket_perms; > + > +# Some common macros (you might be able to remove some) > +files_read_etc_files(zabbix_t) > + > +libs_use_ld_so(zabbix_t) > +libs_use_shared_libs(zabbix_t) > + > +miscfiles_read_localization(zabbix_t) > + > +ifdef(`targeted_policy',` > + term_dontaudit_use_unallocated_ttys(zabbix_t) > + term_dontaudit_use_generic_ptys(zabbix_t) > +') > + > + > +# pid file > +allow zabbix_t zabbix_var_run_t:file manage_file_perms; > +allow zabbix_t zabbix_var_run_t:dir rw_dir_perms; > +files_pid_filetrans(zabbix_t,zabbix_var_run_t, file) > + > +# log files > +allow zabbix_t zabbix_log_t:file manage_file_perms; > +allow zabbix_t zabbix_log_t:dir { rw_dir_perms setattr }; > +logging_log_filetrans(zabbix_t,zabbix_log_t,{ file dir }) > + > +optional_policy(` > + mysql_stream_connect(zabbix_t) > +') > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.