When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent is responsible for collecting the system state and other
monitorable aspects. This include
- information from /proc
- read attributes of various files (tamper detection)
- connect to the ssh service (check if it is reachable)
- get file system information
- read login information
- ...
It should be noted that the agent can do a lot more, depending on the target
system (what is being monitored) and the running services. The allowed
privileges here will in the future expand more as more templates are
checked.
Update: follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server also connects to the agents (this is called "active
monitoring" in the zabbix terms). So we create a zabbix_agent_tcp_connect
interface, use it for the zabbix_t domain and, since zabbix can use
hostname-based connections, allow DNS resolving for the zabbix server.
Update: Follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent has its own dedicated port (10050) on which it needs to
bind/listen.
Also, the agent connects to the server so we add the zabbix_tcp_connect
interface (shamelessly copied from mysql_tcp_connect) and use it for the
zabbix_agent_t domain.
Update: structure interface calls more closely to styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent should be confined within its own domain. We start with the
definition of a small(er) skeleton to work from. This includes proper file
context definitions, standard interdomain privileges (which are quite
similar to those of the server) and the proper log- and pid access
privileges.
Update: attempt to follow styleguide more closely
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server uses a dedicated port (10051). We define it and allow the
zabbix server to bind/listen on it.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Mon, Jun 13, 2011 at 10:28:15AM +0200, Sven Vermeulen wrote:
> Zabbix servers use shared memory to keep common information and structures.
> This is implemented on tmpfs. We support this by introducing a
> zabbix_tmpfs_t type and allow the server proper access to it.
After a small discussion and a few more tests, drop the "dir" in
fs_tmpfs_filetrans.
For posterity's sake, this is the denial one gets when no tmpfs_t related
privileges are given:
Jun 13 11:24:06 build kernel: [ 213.054230] type=1400
audit(1307957046.001:106): avc: denied { read write } for pid=3162
comm="zabbix_agentd" path=2F535953563663303132323534202864656C6574656429
dev=tmpfs ino=32768 scontext=system_u:system_r:zabbix_agent_t
tcontext=system_u:object_r:tmpfs_t tclass=file
With fs_tmpfs_filetrans(..., file) the same denial is given, but as
tcontext=zabbix_tmpfs_t. Hence the rw_files_pattern() enhancement.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server process is a multi-process system.
In order to, for instance, shut it down, signalling within the domain is
necessary. Otherwise, the processes remain running.
Also, since there are multiple processes trying to use the same log file,
the zabbix server uses semaphores to ensure proper access to the log files
(concurrency).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Topi Miettinen
Stephen Smalley
Chris PeBenito
Sven Vermeulen
Jeremy Solt