Rearrange lines in zabbix.

2011-06-15 13:51:22 -04:00 · 2011-06-15 13:51:22 -04:00 · cae953ff01
parent 2c59cf9cf9
commit cae953ff01
2 changed files with 34 additions and 36 deletions
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@ -18,6 +18,27 @@ interface(`zabbix_domtrans',`
 	domtrans_pattern($1, zabbix_exec_t, zabbix_t)
 ')

+########################################
+## <summary>
+## 	Allow connectivity to the zabbix server
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`zabbix_tcp_connect',`
+	gen_require(`
+		type zabbix_t;
+	')
+
+	corenet_sendrecv_zabbix_agent_packets($1)
+	corenet_tcp_connect_zabbix_port($1)
+	corenet_tcp_recvfrom_labeled($1, zabbix_t)
+	corenet_tcp_sendrecv_zabbix_port($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read zabbix's log files.
@ -98,28 +119,6 @@ interface(`zabbix_agent_tcp_connect',`
 	corenet_tcp_sendrecv_zabbix_agent_port($1)
 ')

-
-########################################
-## <summary>
-## 	Allow connectivity to the zabbix server
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`zabbix_tcp_connect',`
-	gen_require(`
-		type zabbix_t;
-	')
-
-	corenet_sendrecv_zabbix_agent_packets($1)
-	corenet_tcp_connect_zabbix_port($1)
-	corenet_tcp_recvfrom_labeled($1, zabbix_t)
-	corenet_tcp_sendrecv_zabbix_port($1)
-')
-
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@ -25,7 +25,7 @@ logging_log_file(zabbix_log_t)

 # shared memory
 type zabbix_tmpfs_t;
-files_tmpfs_file(zabbix_tmpfs_t);
+files_tmpfs_file(zabbix_tmpfs_t)

 # pid files
 type zabbix_var_run_t;
@ -49,16 +49,14 @@ allow zabbix_t zabbix_log_t:dir setattr;
 manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 logging_log_filetrans(zabbix_t, zabbix_log_t, file)

-# pid file
-manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
-
 # shared memory
 rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
 fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)

-zabbix_agent_tcp_connect(zabbix_t)
+# pid file
+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })

 corenet_tcp_bind_generic_node(zabbix_t)
 corenet_tcp_bind_zabbix_port(zabbix_t)
@ -69,6 +67,8 @@ miscfiles_read_localization(zabbix_t)

 sysnet_dns_name_resolve(zabbix_t)

+zabbix_agent_tcp_connect(zabbix_t)
+
 optional_policy(`
 	mysql_stream_connect(zabbix_t)
 ')
@ -94,17 +94,14 @@ allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
 filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
 manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)

-# PID file management
-manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
-
-# Network access to zabbix server
-zabbix_tcp_connect(zabbix_agent_t)
-
 # Shared Memory support
 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
 fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)

+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+
 kernel_read_all_sysctls(zabbix_agent_t)
 kernel_read_system_state(zabbix_agent_t)

@ -135,3 +132,5 @@ miscfiles_read_localization(zabbix_agent_t)

 sysnet_dns_name_resolve(zabbix_agent_t)

+# Network access to zabbix server
+zabbix_tcp_connect(zabbix_agent_t)