nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Zabbix agent binds on its own port, connects to zabbix server 

The zabbix agent has its own dedicated port (10050) on which it needs to
bind/listen.

Also, the agent connects to the server so we add the zabbix_tcp_connect
interface (shamelessly copied from mysql_tcp_connect) and use it for the
zabbix_agent_t domain.

Update: structure interface calls more closely to styleguide

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2011-06-15 18:57:43 +02:00 committed by Chris PeBenito
parent 5b85c03633
commit 80b95df00a
3 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/kernel/corenetwork.te.in
View File

@ -224,6 +224,7 @@ network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp,6000-6020,s0) network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0) network_port(zabbix, tcp,10051,s0)
network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0) network_port(zookeeper_leader, tcp,2888,s0)

21
policy/modules/services/zabbix.if
View File

@ -77,6 +77,27 @@ interface(`zabbix_read_pid_files',`
allow $1 zabbix_var_run_t:file read_file_perms; allow $1 zabbix_var_run_t:file read_file_perms;
') ')
########################################
## <summary>
## Allow connectivity to the zabbix server
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`zabbix_tcp_connect',`
gen_require(`
type zabbix_t;
')
corenet_sendrecv_zabbix_agent_packets($1)
corenet_tcp_connect_zabbix_port($1)
corenet_tcp_recvfrom_labeled($1, zabbix_t)
corenet_tcp_sendrecv_zabbix_port($1)
')
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate

7
policy/modules/services/zabbix.te
View File

@ -97,6 +97,9 @@ manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
# Shared Memory support # Shared Memory support
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@ -104,3 +107,7 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
## Kernel layer module calls ## Kernel layer module calls
## System layer module calls ## System layer module calls
# sysnetwork module
sysnet_dns_name_resolve(zabbix_agent_t)