diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 3aa16abb7..a6166c950 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -18,6 +18,27 @@ interface(`zabbix_domtrans',`
domtrans_pattern($1, zabbix_exec_t, zabbix_t)
')
+########################################
+##
+## Allow connectivity to the zabbix server
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zabbix_tcp_connect',`
+ gen_require(`
+ type zabbix_t;
+ ')
+
+ corenet_sendrecv_zabbix_agent_packets($1)
+ corenet_tcp_connect_zabbix_port($1)
+ corenet_tcp_recvfrom_labeled($1, zabbix_t)
+ corenet_tcp_sendrecv_zabbix_port($1)
+')
+
########################################
##
## Allow the specified domain to read zabbix's log files.
@@ -98,28 +119,6 @@ interface(`zabbix_agent_tcp_connect',`
corenet_tcp_sendrecv_zabbix_agent_port($1)
')
-
-########################################
-##
-## Allow connectivity to the zabbix server
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`zabbix_tcp_connect',`
- gen_require(`
- type zabbix_t;
- ')
-
- corenet_sendrecv_zabbix_agent_packets($1)
- corenet_tcp_connect_zabbix_port($1)
- corenet_tcp_recvfrom_labeled($1, zabbix_t)
- corenet_tcp_sendrecv_zabbix_port($1)
-')
-
########################################
##
## All of the rules required to administrate
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
index 244d829db..7dde536ca 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -25,7 +25,7 @@ logging_log_file(zabbix_log_t)
# shared memory
type zabbix_tmpfs_t;
-files_tmpfs_file(zabbix_tmpfs_t);
+files_tmpfs_file(zabbix_tmpfs_t)
# pid files
type zabbix_var_run_t;
@@ -49,16 +49,14 @@ allow zabbix_t zabbix_log_t:dir setattr;
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
-# pid file
-manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
-
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-zabbix_agent_tcp_connect(zabbix_t)
+# pid file
+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
corenet_tcp_bind_generic_node(zabbix_t)
corenet_tcp_bind_zabbix_port(zabbix_t)
@@ -69,6 +67,8 @@ miscfiles_read_localization(zabbix_t)
sysnet_dns_name_resolve(zabbix_t)
+zabbix_agent_tcp_connect(zabbix_t)
+
optional_policy(`
mysql_stream_connect(zabbix_t)
')
@@ -94,17 +94,14 @@ allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
-# PID file management
-manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
-files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
-
-# Network access to zabbix server
-zabbix_tcp_connect(zabbix_agent_t)
-
# Shared Memory support
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+# PID file management
+manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
+
kernel_read_all_sysctls(zabbix_agent_t)
kernel_read_system_state(zabbix_agent_t)
@@ -135,3 +132,5 @@ miscfiles_read_localization(zabbix_agent_t)
sysnet_dns_name_resolve(zabbix_agent_t)
+# Network access to zabbix server
+zabbix_tcp_connect(zabbix_agent_t)