diff options
author | Anthony G. Basile <blueness@gentoo.org> | 2011-06-30 10:04:18 +0000 |
---|---|---|
committer | Anthony G. Basile <blueness@gentoo.org> | 2011-06-30 10:04:18 +0000 |
commit | 6968cb700fcce5edba24005d87024cc2a2cd4419 (patch) | |
tree | 4acc2271c350191edf1cc977277dd4238dfeeafb /sec-policy/selinux-zabbix | |
parent | Stable on amd64 wrt bug #373155 (diff) | |
download | historical-6968cb700fcce5edba24005d87024cc2a2cd4419.tar.gz historical-6968cb700fcce5edba24005d87024cc2a2cd4419.tar.bz2 historical-6968cb700fcce5edba24005d87024cc2a2cd4419.zip |
Make sure zabbix agent works, bump to EAPI=4
Package-Manager: portage-2.1.9.42/cvs/Linux x86_64
Diffstat (limited to 'sec-policy/selinux-zabbix')
-rw-r--r-- | sec-policy/selinux-zabbix/ChangeLog | 8 | ||||
-rw-r--r-- | sec-policy/selinux-zabbix/Manifest | 10 | ||||
-rw-r--r-- | sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch | 135 | ||||
-rw-r--r-- | sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild | 16 |
4 files changed, 164 insertions, 5 deletions
diff --git a/sec-policy/selinux-zabbix/ChangeLog b/sec-policy/selinux-zabbix/ChangeLog index 0ad51db87697..b89042ad4b39 100644 --- a/sec-policy/selinux-zabbix/ChangeLog +++ b/sec-policy/selinux-zabbix/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for sec-policy/selinux-zabbix # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/ChangeLog,v 1.2 2011/06/02 13:12:38 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/ChangeLog,v 1.3 2011/06/30 10:04:18 blueness Exp $ + +*selinux-zabbix-2.20101213-r1 (30 Jun 2011) + + 30 Jun 2011; Anthony G. Basile <blueness@gentoo.org> + +files/fix-services-zabbix-r1.patch, +selinux-zabbix-2.20101213-r1.ebuild: + Make sure zabbix agent works, bump to EAPI=4 02 Jun 2011; Anthony G. Basile <blueness@gentoo.org> selinux-zabbix-2.20101213.ebuild: diff --git a/sec-policy/selinux-zabbix/Manifest b/sec-policy/selinux-zabbix/Manifest index 6ce6c7457ed2..320ea1c6591f 100644 --- a/sec-policy/selinux-zabbix/Manifest +++ b/sec-policy/selinux-zabbix/Manifest @@ -1,14 +1,16 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX fix-services-zabbix-r1.patch 4856 RMD160 caae5ef1ad31212452c0f2bfb05968848a3b0a3f SHA1 968978b67499289900ffcf544e628e3a2ae96122 SHA256 260c90774d6f351b7b32a4d042eb45c7849bf78b963aa51a112e49241fdf6317 DIST refpolicy-2.20101213.tar.bz2 559450 RMD160 4858f792f4db5b179de6fb8419a626c29d59bdd3 SHA1 0e881e99b8950a358eadc44633551ca10f12eaee SHA256 b691ee8f6066cc19bb0d4384fe3be277d97d22e9d4ac2db0c252065e8c3535de +EBUILD selinux-zabbix-2.20101213-r1.ebuild 440 RMD160 62b6d6f51884f161bc3e915838ac9d49c9303d2d SHA1 e379465b5a6472038013c22f1669996841337aab SHA256 f39f5f873a632ac7d077d464b56f84408e319d3b435de15e9bddc01dcfebd2ee EBUILD selinux-zabbix-2.20101213.ebuild 369 RMD160 2a69228e1c41dcdf88ae3166b74638fb54441872 SHA1 b3c3bc64018295498e2f84ef6ed351ff5bc319e4 SHA256 05beeb93429038b975e7d74c94fe1ad6a9f908ea15637fb73fa74bfa28d90166 -MISC ChangeLog 432 RMD160 fa8fffeea013c1062f424880b4fc146895c97920 SHA1 270ad270ab0285ccbf5d1108458e5f98e632615a SHA256 153d89bbafde7a3b2bba33abcb56516d6cc794638bc368a39e27be79f5f54316 +MISC ChangeLog 657 RMD160 3a860d1b2221a9a5733613db17a83e5b53a4f351 SHA1 eb688067e1b33c105231bcccd5b0600ad2854ee7 SHA256 29b99d12f09ff1874d267c7f8c2410266239807f6a55dcbb9a47394dd42a8a29 MISC metadata.xml 230 RMD160 7a866c726623b5965ac5008485f20ce4a2b6f152 SHA1 b74d8ea3840ee2af99d4d2af51cd5e0274e372e5 SHA256 e9b3160af532a6e966a9a73bf5c180574ee4c9b9ee6e852ab75b11acea984444 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) -iEYEAREIAAYFAk3njEwACgkQl5yvQNBFVTVRkwCcD4Waf6DJWdsGLHNl+RNZvsTP -s0oAnRJ8g14VIbpUYxp4AeiiobqNgUuW -=dLa4 +iEYEAREIAAYFAk4MSi0ACgkQl5yvQNBFVTW76wCdFLqsRNLiXRump5JbDHMDV34i +wIsAniuWpJ+Sx4IvbzVmiJfkQcrpUOBn +=fnbl -----END PGP SIGNATURE----- diff --git a/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch b/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch new file mode 100644 index 000000000000..a6b6593358a9 --- /dev/null +++ b/sec-policy/selinux-zabbix/files/fix-services-zabbix-r1.patch @@ -0,0 +1,135 @@ +--- services/zabbix.te 2010-12-13 15:11:02.000000000 +0100 ++++ services/zabbix.te 2011-06-13 11:44:56.271000342 +0200 +@@ -9,9 +9,16 @@ + type zabbix_exec_t; + init_daemon_domain(zabbix_t, zabbix_exec_t) + ++type zabbix_agent_t; ++type zabbix_agent_exec_t; ++init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) ++ + type zabbix_initrc_exec_t; + init_script_file(zabbix_initrc_exec_t) + ++type zabbix_agent_initrc_exec_t; ++init_script_file(zabbix_agent_initrc_exec_t) ++ + # log files + type zabbix_log_t; + logging_log_file(zabbix_log_t) +@@ -20,6 +27,9 @@ + type zabbix_var_run_t; + files_pid_file(zabbix_var_run_t) + ++type zabbix_tmpfs_t; ++files_tmpfs_file(zabbix_tmpfs_t); ++ + ######################################## + # + # zabbix local policy +@@ -27,7 +37,11 @@ + + allow zabbix_t self:capability { setuid setgid }; + allow zabbix_t self:fifo_file rw_file_perms; ++allow zabbix_t self:process { setsched getsched signal }; + allow zabbix_t self:unix_stream_socket create_stream_socket_perms; ++allow zabbix_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file ++allow zabbix_t self:shm create_shm_perms; ++allow zabbix_t self:tcp_socket create_stream_socket_perms; + + # log files + allow zabbix_t zabbix_log_t:dir setattr; +@@ -39,14 +53,81 @@ + manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) + files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) + ++sysnet_dns_name_resolve(zabbix_t) ++ ++fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, { dir file }) ++manage_files_pattern(zabbix_t, tmpfs_t, zabbix_tmpfs_t) ++ ++# configuration file + files_read_etc_files(zabbix_t) + + miscfiles_read_localization(zabbix_t) ++corenet_tcp_bind_generic_node(zabbix_t) ++corenet_tcp_bind_zabbix_port(zabbix_t) ++ ++gentoo_zabbix_agent_tcp_connect(zabbix_t) + + optional_policy(` ++ # Support MySQL connectivity both local (stream) and through network (tcp) + mysql_stream_connect(zabbix_t) ++ mysql_tcp_connect(zabbix_t) + ') + + optional_policy(` + postgresql_stream_connect(zabbix_t) + ') ++ ++######################################## ++# ++# zabbix agent local policy ++# ++ ++allow zabbix_agent_t self:capability { setuid setgid }; ++allow zabbix_agent_t self:process { setsched getsched signal }; ++allow zabbix_agent_t self:fifo_file rw_file_perms; ++allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; ++allow zabbix_agent_t self:sem { create unix_write unix_read read write associate destroy }; #mutex requirement for log file ++allow zabbix_agent_t self:tcp_socket create_stream_socket_perms; ++allow zabbix_agent_t self:shm create_shm_perms; ++ ++## Rules relating to the objects managed by this policy file ++# Logging access ++filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) ++manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) ++# PID file management ++manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) ++files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) ++# Port access ++gentoo_zabbix_tcp_connect(zabbix_agent_t) ++# Shared memory ++rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) ++fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) ++ ++## kernel layer module calls ++kernel_read_all_sysctls(zabbix_agent_t) ++kernel_read_system_state(zabbix_agent_t) ++#corecmd_exec_bin(zabbix_agent_t) ++#corecmd_exec_shell(zabbix_agent_t) ++corecmd_read_all_executables(zabbix_agent_t) ++corenet_tcp_bind_generic_node(zabbix_agent_t) ++corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) ++corenet_tcp_connect_ssh_port(zabbix_agent_t) # Agent supports ssh connectivity tests ++corenet_tcp_connect_zabbix_port(zabbix_agent_t) ++dev_getattr_all_blk_files(zabbix_agent_t) ++dev_getattr_all_chr_files(zabbix_agent_t) ++domain_search_all_domains_state(zabbix_agent_t) ++files_read_all_symlinks(zabbix_agent_t) ++files_read_etc_files(zabbix_agent_t) ++files_getattr_all_dirs(zabbix_agent_t) ++files_getattr_all_files(zabbix_agent_t) ++fs_getattr_all_fs(zabbix_agent_t) ++ ++## system layer module calls ++#hostname_exec(zabbix_agent_t) ++init_read_utmp(zabbix_agent_t) ++logging_search_logs(zabbix_agent_t) ++miscfiles_read_localization(zabbix_agent_t) ++sysnet_dns_name_resolve(zabbix_agent_t) ++ ++## other modules ++#ssh_exec(zabbix_agent_t) +--- services/zabbix.fc 2010-08-03 15:11:09.000000000 +0200 ++++ services/zabbix.fc 2011-06-12 20:12:49.376002444 +0200 +@@ -1,6 +1,8 @@ + /etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + +-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/(s)?bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/(s)?bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + + /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + diff --git a/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild b/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild new file mode 100644 index 000000000000..280917a770a2 --- /dev/null +++ b/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild @@ -0,0 +1,16 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-zabbix/selinux-zabbix-2.20101213-r1.ebuild,v 1.1 2011/06/30 10:04:18 blueness Exp $ +EAPI="4" + +IUSE="" + +MODS="zabbix" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for general applications" + +KEYWORDS="~amd64 ~x86" + +POLICY_PATCH="${FILESDIR}/fix-services-zabbix-r1.patch" |