Puppet is a management utility to manage several dozens or even hundreds of
systems through a single application. Part of its job is to ensure that the
configuration and state of a system is as expected. Part of this is to ensure
that the proper mounts are available and, if not, mount them (or umount them).
This patch allows puppet_t to call mount.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent is responsible for collecting the system state and other
monitorable aspects. This include
- information from /proc
- read attributes of various files (tamper detection)
- connect to the ssh service (check if it is reachable)
- get file system information
- read login information
- ...
It should be noted that the agent can do a lot more, depending on the target
system (what is being monitored) and the running services. The allowed
privileges here will in the future expand more as more templates are
checked.
Update: follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server also connects to the agents (this is called "active
monitoring" in the zabbix terms). So we create a zabbix_agent_tcp_connect
interface, use it for the zabbix_t domain and, since zabbix can use
hostname-based connections, allow DNS resolving for the zabbix server.
Update: Follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent has its own dedicated port (10050) on which it needs to
bind/listen.
Also, the agent connects to the server so we add the zabbix_tcp_connect
interface (shamelessly copied from mysql_tcp_connect) and use it for the
zabbix_agent_t domain.
Update: structure interface calls more closely to styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent should be confined within its own domain. We start with the
definition of a small(er) skeleton to work from. This includes proper file
context definitions, standard interdomain privileges (which are quite
similar to those of the server) and the proper log- and pid access
privileges.
Update: attempt to follow styleguide more closely
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server uses a dedicated port (10051). We define it and allow the
zabbix server to bind/listen on it.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Mon, Jun 13, 2011 at 10:28:15AM +0200, Sven Vermeulen wrote:
> Zabbix servers use shared memory to keep common information and structures.
> This is implemented on tmpfs. We support this by introducing a
> zabbix_tmpfs_t type and allow the server proper access to it.
After a small discussion and a few more tests, drop the "dir" in
fs_tmpfs_filetrans.
For posterity's sake, this is the denial one gets when no tmpfs_t related
privileges are given:
Jun 13 11:24:06 build kernel: [ 213.054230] type=1400
audit(1307957046.001:106): avc: denied { read write } for pid=3162
comm="zabbix_agentd" path=2F535953563663303132323534202864656C6574656429
dev=tmpfs ino=32768 scontext=system_u:system_r:zabbix_agent_t
tcontext=system_u:object_r:tmpfs_t tclass=file
With fs_tmpfs_filetrans(..., file) the same denial is given, but as
tcontext=zabbix_tmpfs_t. Hence the rw_files_pattern() enhancement.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server process is a multi-process system.
In order to, for instance, shut it down, signalling within the domain is
necessary. Otherwise, the processes remain running.
Also, since there are multiple processes trying to use the same log file,
the zabbix server uses semaphores to ensure proper access to the log files
(concurrency).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Sven Vermeulen
Matthew Ife