diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-11-27 06:27:04 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-11-27 06:27:04 +0000 |
| commit | a79e82b21a5b625363442d49d5c51b162910d936 (patch) | |
| tree | 6263142b895f5252ce95ab3756ba1df94dc22197 /zabbix.te | |
| parent | f7b3614d41fae2ba39d757a1b7832180240b8607 (diff) | |
automatic import of zabbix
Diffstat (limited to 'zabbix.te')
| -rw-r--r-- | zabbix.te | 32 |
1 files changed, 29 insertions, 3 deletions
@@ -1,4 +1,4 @@ -policy_module(zabbix, 1.6.0) +policy_module(zabbix, 1.7.0) ######################################## # @@ -284,22 +284,48 @@ zabbix_tcp_connect(zabbix_agent_t) zabbix_script_domtrans(zabbix_agent_t) +# These are triggered by vfs.dev.discovery enumerating everyting in /dev +gen_require(` + type devlog_t; +') +dontaudit zabbix_agent_t devlog_t:sock_file getattr; +init_dontaudit_getattr_initctl(zabbix_agent_t) +kernel_dontaudit_getattr_core_if(zabbix_agent_t) + +gen_require(` + type kernel_t, sudo_log_t; +') tunable_policy(`zabbix_run_sudo',` - allow zabbix_agent_t self:capability { setgid setuid sys_resource }; + allow zabbix_agent_t self:capability { chown dac_read_search setgid setuid sys_resource }; allow zabbix_agent_t self:process { setrlimit setsched }; allow zabbix_agent_t self:key write; allow zabbix_agent_t self:passwd { passwd rootok }; + allow zabbix_agent_t sudo_log_t:dir { add_name create setattr write }; + allow zabbix_agent_t sudo_log_t:file { create open read setattr write }; + + allow zabbix_agent_t devlog_t:sock_file write; + allow zabbix_agent_t kernel_t:unix_dgram_socket sendto; + allow zabbix_agent_t self:unix_dgram_socket { connect create }; + + auth_domtrans_chkpwd(zabbix_agent_t) auth_rw_lastlog(zabbix_agent_t) auth_rw_faillog(zabbix_agent_t) - auth_exec_chkpwd(zabbix_agent_t) + + logging_send_audit_msgs(zabbix_agent_t) selinux_compute_access_vector(zabbix_agent_t) + sssd_read_config(zabbix_agent_t) + systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t) systemd_dbus_chat_logind(zabbix_agent_t) xserver_exec_xauth(zabbix_agent_t) + + # Conceivably this could be under a separate boolean, but the reason to allow sudo + # is to allow check like this + lvm_domtrans(zabbix_agent_t) ') optional_policy(` |