diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | sources | 1 | ||||
| -rw-r--r-- | zabbix-agent.service | 11 | ||||
| -rw-r--r-- | zabbix-config.patch | 48 | ||||
| -rw-r--r-- | zabbix-configure-sscanf.patch | 17 | ||||
| -rw-r--r-- | zabbix-crypto-policy.patch | 44 | ||||
| -rw-r--r-- | zabbix-logrotate.in | 8 | ||||
| -rw-r--r-- | zabbix-out-of-tree.patch | 157 | ||||
| -rw-r--r-- | zabbix-php-fpm.conf | 24 | ||||
| -rw-r--r-- | zabbix-proxy-mysql.service | 11 | ||||
| -rw-r--r-- | zabbix-proxy-pgsql.service | 11 | ||||
| -rw-r--r-- | zabbix-proxy-sqlite3.service | 11 | ||||
| -rw-r--r-- | zabbix-server-mysql.service | 11 | ||||
| -rw-r--r-- | zabbix-server-pgsql.service | 11 | ||||
| -rw-r--r-- | zabbix-tmpfiles-zabbix.conf | 1 | ||||
| -rw-r--r-- | zabbix-tmpfiles-zabbixsrv.conf | 1 | ||||
| -rw-r--r-- | zabbix-web.conf | 35 | ||||
| -rw-r--r-- | zabbix.fc | 25 | ||||
| -rw-r--r-- | zabbix.if | 199 | ||||
| -rw-r--r-- | zabbix.spec | 836 | ||||
| -rw-r--r-- | zabbix.te | 374 |
21 files changed, 1837 insertions, 0 deletions
@@ -0,0 +1 @@ +/zabbix-7.0.5.tar.gz @@ -0,0 +1 @@ +7b2d3e749911145526f27a9d1793d264 zabbix-7.0.5.tar.gz diff --git a/zabbix-agent.service b/zabbix-agent.service new file mode 100644 index 0000000..aeed01b --- /dev/null +++ b/zabbix-agent.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix Monitor Agent +After=syslog.target network.target + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_agentd -f +User=zabbix + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-config.patch b/zabbix-config.patch new file mode 100644 index 0000000..5d61074 --- /dev/null +++ b/zabbix-config.patch @@ -0,0 +1,48 @@ +diff --git a/ui/include/classes/core/CConfigFile.php b/ui/include/classes/core/CConfigFile.php +index d7ad93a..88b7d5f 100644 +--- a/ui/include/classes/core/CConfigFile.php ++++ b/ui/include/classes/core/CConfigFile.php +@@ -20,7 +20,7 @@ class CConfigFile { + const CONFIG_ERROR = 2; + const CONFIG_VAULT_ERROR = 3; + +- const CONFIG_FILE_PATH = '/conf/zabbix.conf.php'; ++ const CONFIG_FILE_PATH = '/etc/zabbix/web/zabbix.conf.php'; + + private static $supported_db_types = [ + ZBX_DB_MYSQL => true, +diff --git a/ui/include/classes/core/ZBase.php b/ui/include/classes/core/ZBase.php +index 51b2165..e57e5a8 100644 +--- a/ui/include/classes/core/ZBase.php ++++ b/ui/include/classes/core/ZBase.php +@@ -392,7 +392,7 @@ class ZBase { + * @throws Exception + */ + protected function setMaintenanceMode() { +- require_once 'conf/maintenance.inc.php'; ++ require_once '/etc/zabbix/web/maintenance.inc.php'; + + if (defined('ZBX_DENY_GUI_ACCESS')) { + if (!isset($ZBX_GUI_ACCESS_IP_RANGE) || !in_array(CWebUser::getIp(), $ZBX_GUI_ACCESS_IP_RANGE)) { +@@ -405,7 +405,7 @@ class ZBase { + * Load zabbix config file. + */ + protected function loadConfigFile(): void { +- $configFile = $this->root_dir.CConfigFile::CONFIG_FILE_PATH; ++ $configFile = CConfigFile::CONFIG_FILE_PATH; + + $config = new CConfigFile($configFile); + +diff --git a/ui/include/classes/setup/CSetupWizard.php b/ui/include/classes/setup/CSetupWizard.php +index 8574868..79d0c72 100644 +--- a/ui/include/classes/setup/CSetupWizard.php ++++ b/ui/include/classes/setup/CSetupWizard.php +@@ -328,7 +328,7 @@ class CSetupWizard extends CForm { + // make zabbix.conf.php downloadable + header('Content-Type: application/x-httpd-php'); + header('Content-Disposition: attachment; filename="'.basename(CConfigFile::CONFIG_FILE_PATH).'"'); +- $config = new CConfigFile(APP::getRootDir().CConfigFile::CONFIG_FILE_PATH); ++ $config = new CConfigFile(CConfigFile::CONFIG_FILE_PATH); + $config->config = [ + 'DB' => [ + 'TYPE' => $this->getConfig('DB_TYPE'), diff --git a/zabbix-configure-sscanf.patch b/zabbix-configure-sscanf.patch new file mode 100644 index 0000000..8117635 --- /dev/null +++ b/zabbix-configure-sscanf.patch @@ -0,0 +1,17 @@ +sscanf needs <stdio.h> for the prototype. Submitted upstream here: + + <https://support.zabbix.com/browse/ZBX-21946> + +diff --git a/configure.ac b/configure.ac +index 0588004f9f89cdd5..bbc60e3a28369f9f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -952,6 +952,7 @@ dnl FreeBSD 4.x does not support %llu + AC_MSG_CHECKING(for long long format) + AC_RUN_IFELSE([AC_LANG_SOURCE([[ + #include <sys/types.h> ++#include <stdio.h> + int main() + { + uint64_t i; + diff --git a/zabbix-crypto-policy.patch b/zabbix-crypto-policy.patch new file mode 100644 index 0000000..4f9f49a --- /dev/null +++ b/zabbix-crypto-policy.patch @@ -0,0 +1,44 @@ +diff --git a/src/go/pkg/tls/tls.go b/src/go/pkg/tls/tls.go +index b7ddff4..063eb02 100644 +--- a/src/go/pkg/tls/tls.go ++++ b/src/go/pkg/tls/tls.go +@@ -406,6 +406,8 @@ static void *tls_new_context(const char *ca_file, const char *crl_file, const ch + #endif + if (NULL != cipher) + ciphers = cipher; ++ else ++ ciphers = "PROFILE=SYSTEM"; + + if (1 != SSL_CTX_set_cipher_list(ctx, ciphers)) + goto out; +diff --git a/src/libs/zbxcomms/tls_openssl.c b/src/libs/zbxcomms/tls_openssl.c +index 40394a3..b2eb0f0 100644 +--- a/src/libs/zbxcomms/tls_openssl.c ++++ b/src/libs/zbxcomms/tls_openssl.c +@@ -1212,7 +1212,7 @@ void zbx_tls_init_child(const zbx_config_tls_t *config_tls, zbx_get_program_type + goto out; + } + } +- else if (1 != SSL_CTX_set_cipher_list(ctx_cert, ciphers)) ++ else if (1 != SSL_CTX_set_cipher_list(ctx_cert, "PROFILE=SYSTEM")) + { + zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of certificate" + " ciphersuites:"); +@@ -1302,7 +1302,7 @@ void zbx_tls_init_child(const zbx_config_tls_t *config_tls, zbx_get_program_type + goto out; + } + } +- else if (1 != SSL_CTX_set_cipher_list(ctx_psk, ciphers)) ++ else if (1 != SSL_CTX_set_cipher_list(ctx_psk, "PROFILE=SYSTEM")) + { + zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of PSK ciphersuites:"); + goto out; +@@ -1360,7 +1360,7 @@ void zbx_tls_init_child(const zbx_config_tls_t *config_tls, zbx_get_program_type + goto out; + } + } +- else if (1 != SSL_CTX_set_cipher_list(ctx_all, ciphers)) ++ else if (1 != SSL_CTX_set_cipher_list(ctx_all, "PROFILE=SYSTEM")) + { + zbx_snprintf_alloc(&error, &error_alloc, &error_offset, "cannot set list of all ciphersuites:"); + goto out; diff --git a/zabbix-logrotate.in b/zabbix-logrotate.in new file mode 100644 index 0000000..6eeea97 --- /dev/null +++ b/zabbix-logrotate.in @@ -0,0 +1,8 @@ +/var/log/USER/zabbix_COMPONENT.log { + missingok + monthly + notifempty + compress + copytruncate + su USER USER +} diff --git a/zabbix-out-of-tree.patch b/zabbix-out-of-tree.patch new file mode 100644 index 0000000..901d716 --- /dev/null +++ b/zabbix-out-of-tree.patch @@ -0,0 +1,157 @@ +diff --git a/src/go/Makefile.am b/src/go/Makefile.am +index 3e24aa0..308e34b 100644 +--- a/src/go/Makefile.am ++++ b/src/go/Makefile.am +@@ -67,6 +67,7 @@ clean: clean-go-build clean-sbom + + clean-go-build: + -$(GO) clean ./... ++ -$(GO) clean $(srcdir)/... + -rm -f bin/mock_server + -rm -f bin/zabbix_agent2 + -rm -f bin/zabbix_web_service +@@ -89,9 +90,9 @@ install-bin/zabbix_agent2: bin/zabbix_agent2 + $(INSTALL) -d "$(DESTDIR)$(sbindir)" + $(INSTALL_PROGRAM) bin/zabbix_agent2 "$(DESTDIR)$(sbindir)" + $(INSTALL) -d "$(DESTDIR)$(AGENT2_PLUGIN_CONFIG_DIR)" +- $(INSTALL_DATA) conf/zabbix_agent2.conf "$(DESTDIR)$(sysconfdir)" ++ $(INSTALL_DATA) $(top_srcdir)/src/go/conf/zabbix_agent2.conf "$(DESTDIR)$(sysconfdir)" + $(INSTALL) -d "$(DESTDIR)$(AGENT2_PLUGIN_CONFIG_DIR)" +- (cd conf/zabbix_agent2.d/plugins.d && \ ++ (cd $(top_srcdir)/conf/zabbix_agent2.d/plugins.d && \ + for _f in *.conf; do \ + $(INSTALL_DATA) $${_f} "$(DESTDIR)$(AGENT2_PLUGIN_CONFIG_DIR)"; \ + done) +diff --git a/src/zabbix_agent/Makefile.am b/src/zabbix_agent/Makefile.am +index b217fb5..945a673 100644 +--- a/src/zabbix_agent/Makefile.am ++++ b/src/zabbix_agent/Makefile.am +@@ -69,4 +69,4 @@ zabbix_agentd_CFLAGS = \ + install-data-hook: + $(MKDIR_P) "$(DESTDIR)$(AGENT_CONFIG_FILE).d" + $(MKDIR_P) "$(DESTDIR)$(LOAD_MODULE_PATH)" +- test -f "$(DESTDIR)$(AGENT_CONFIG_FILE)" || cp "../../conf/zabbix_agentd.conf" "$(DESTDIR)$(AGENT_CONFIG_FILE)" ++ test -f "$(DESTDIR)$(AGENT_CONFIG_FILE)" || cp "$(top_srcdir)/conf/zabbix_agentd.conf" "$(DESTDIR)$(AGENT_CONFIG_FILE)" +diff --git a/src/zabbix_java/Makefile.am b/src/zabbix_java/Makefile.am +index 43f8f19..48214c9 100644 +--- a/src/zabbix_java/Makefile.am ++++ b/src/zabbix_java/Makefile.am +@@ -9,22 +9,22 @@ EXTRA_DIST = \ + startup.sh + + ZJG = bin/zabbix-java-gateway-$(VERSION).jar +-LIB = lib/android-json-4.3_r3.1.jar:lib/logback-core-1.2.9.jar:lib/logback-classic-1.2.9.jar:lib/slf4j-api-1.7.32.jar +-JUNIT = tests/junit-4.8.2.jar ++LIB = $(srcdir)/lib/android-json-4.3_r3.1.jar:$(srcdir)/lib/logback-core-1.2.3.jar:$(srcdir)/lib/logback-classic-1.2.3.jar:$(srcdir)/lib/slf4j-api-1.7.30.jar ++JUNIT = $(srcdir)/tests/junit-4.8.2.jar + + ZJG_DEST = $(DESTDIR)$(sbindir)/zabbix_java + + all: $(ZJG) + +-$(ZJG): class src/com/zabbix/gateway/*.java +- $(JAVAC) -d class/src -classpath $(LIB) src/com/zabbix/gateway/*.java ++$(ZJG): class $(srcdir)/src/com/zabbix/gateway/*.java ++ $(JAVAC) -d class/src -classpath $(LIB) $(srcdir)/src/com/zabbix/gateway/*.java + $(JAR) cf $(ZJG) -C class/src . + + test: class + echo "badger useruser" > tests/com/zabbix/gateway/jmx_test_beans/jmxremote.password + chmod 600 tests/com/zabbix/gateway/jmx_test_beans/jmxremote.password +- $(JAVAC) tests/com/zabbix/gateway/jmx_test_beans/*.java +- $(JAVAC) -d class/tests -classpath class/src:$(JUNIT) tests/com/zabbix/gateway/*.java ++ $(JAVAC) tests/com/zabbix/gateway/jmx_$(srcdir)/test_beans/*.java ++ $(JAVAC) -d class/tests -classpath class/src:$(JUNIT) $(srcdir)/tests/com/zabbix/gateway/*.java + java -classpath class/tests:$(LIB):$(ZJG):$(JUNIT) com.zabbix.gateway.AllTestRunner + + class: +diff --git a/src/zabbix_js/Makefile.am b/src/zabbix_js/Makefile.am +index 1e4fd93..2110656 100644 +--- a/src/zabbix_js/Makefile.am ++++ b/src/zabbix_js/Makefile.am +@@ -5,30 +5,30 @@ + zabbix_js_SOURCES = zabbix_js.c + + zabbix_js_LDADD = \ +- $(top_srcdir)/src/libs/zbxlog/libzbxlog.a \ +- $(top_srcdir)/src/libs/zbxembed/libzbxembed.a \ +- $(top_srcdir)/src/libs/zbxjson/libzbxjson.a \ +- $(top_srcdir)/src/libs/zbxregexp/libzbxregexp.a \ +- $(top_srcdir)/src/libs/zbxalgo/libzbxalgo.a \ +- $(top_srcdir)/src/libs/zbxthreads/libzbxthreads.a \ +- $(top_srcdir)/src/libs/zbxmutexs/libzbxmutexs.a \ +- $(top_srcdir)/src/libs/zbxprof/libzbxprof.a \ +- $(top_srcdir)/src/libs/zbxnix/libzbxnix.a \ +- $(top_srcdir)/src/libs/zbxcomms/libzbxcomms.a \ +- $(top_srcdir)/src/libs/zbxip/libzbxip.a \ +- $(top_srcdir)/src/libs/zbxgetopt/libzbxgetopt.a \ +- $(top_srcdir)/src/libs/zbxhash/libzbxhash.a \ +- $(top_srcdir)/src/libs/zbxcrypto/libzbxcrypto.a \ +- $(top_srcdir)/src/libs/zbxcompress/libzbxcompress.a \ +- $(top_srcdir)/src/libs/zbxhttp/libzbxhttp.a \ +- $(top_srcdir)/src/libs/zbxvariant/libzbxvariant.a \ +- $(top_srcdir)/src/libs/zbxxml/libzbxxml.a \ +- $(top_srcdir)/src/libs/zbxstr/libzbxstr.a \ +- $(top_srcdir)/src/libs/zbxnum/libzbxnum.a \ +- $(top_srcdir)/src/libs/zbxtime/libzbxtime.a \ +- $(top_srcdir)/src/libs/zbxcommon/libzbxcommon.a \ +- $(top_srcdir)/src/libs/zbxbincommon/libzbxbincommon.a \ +- $(top_srcdir)/src/libs/zbxcurl/libzbxcurl.a ++ $(top_builddir)/src/libs/zbxlog/libzbxlog.a \ ++ $(top_builddir)/src/libs/zbxembed/libzbxembed.a \ ++ $(top_builddir)/src/libs/zbxjson/libzbxjson.a \ ++ $(top_builddir)/src/libs/zbxregexp/libzbxregexp.a \ ++ $(top_builddir)/src/libs/zbxalgo/libzbxalgo.a \ ++ $(top_builddir)/src/libs/zbxthreads/libzbxthreads.a \ ++ $(top_builddir)/src/libs/zbxmutexs/libzbxmutexs.a \ ++ $(top_builddir)/src/libs/zbxprof/libzbxprof.a \ ++ $(top_builddir)/src/libs/zbxnix/libzbxnix.a \ ++ $(top_builddir)/src/libs/zbxcomms/libzbxcomms.a \ ++ $(top_builddir)/src/libs/zbxip/libzbxip.a \ ++ $(top_builddir)/src/libs/zbxgetopt/libzbxgetopt.a \ ++ $(top_builddir)/src/libs/zbxhash/libzbxhash.a \ ++ $(top_builddir)/src/libs/zbxcrypto/libzbxcrypto.a \ ++ $(top_builddir)/src/libs/zbxcompress/libzbxcompress.a \ ++ $(top_builddir)/src/libs/zbxhttp/libzbxhttp.a \ ++ $(top_builddir)/src/libs/zbxvariant/libzbxvariant.a \ ++ $(top_builddir)/src/libs/zbxxml/libzbxxml.a \ ++ $(top_builddir)/src/libs/zbxstr/libzbxstr.a \ ++ $(top_builddir)/src/libs/zbxnum/libzbxnum.a \ ++ $(top_builddir)/src/libs/zbxtime/libzbxtime.a \ ++ $(top_builddir)/src/libs/zbxcommon/libzbxcommon.a \ ++ $(top_builddir)/src/libs/zbxbincommon/libzbxbincommon.a \ ++ $(top_builddir)/src/libs/zbxcurl/libzbxcurl.a + + zabbix_js_LDADD += @ZBXJS_LIBS@ $(LIBXML2_LIBS) + +diff --git a/src/zabbix_proxy/Makefile.am b/src/zabbix_proxy/Makefile.am +index b56f8a8..44800a0 100644 +--- a/src/zabbix_proxy/Makefile.am ++++ b/src/zabbix_proxy/Makefile.am +@@ -151,4 +151,4 @@ install-data-hook: + $(MKDIR_P) "$(DESTDIR)$(PROXY_CONFIG_FILE).d" + $(MKDIR_P) "$(DESTDIR)$(EXTERNAL_SCRIPTS_PATH)" + $(MKDIR_P) "$(DESTDIR)$(LOAD_MODULE_PATH)" +- test -f "$(DESTDIR)$(PROXY_CONFIG_FILE)" || cp "../../conf/zabbix_proxy.conf" "$(DESTDIR)$(PROXY_CONFIG_FILE)" ++ test -f "$(DESTDIR)$(PROXY_CONFIG_FILE)" || cp "$(top_srcdir)/conf/zabbix_proxy.conf" "$(DESTDIR)$(PROXY_CONFIG_FILE)" +diff --git a/src/zabbix_server/Makefile.am b/src/zabbix_server/Makefile.am +index 0a55934..a7f6a28 100644 +--- a/src/zabbix_server/Makefile.am ++++ b/src/zabbix_server/Makefile.am +@@ -186,4 +186,4 @@ install-data-hook: + $(MKDIR_P) "$(DESTDIR)$(EXTERNAL_SCRIPTS_PATH)" + $(MKDIR_P) "$(DESTDIR)$(ALERT_SCRIPTS_PATH)" + $(MKDIR_P) "$(DESTDIR)$(LOAD_MODULE_PATH)" +- test -f "$(DESTDIR)$(SERVER_CONFIG_FILE)" || cp "../../conf/zabbix_server.conf" "$(DESTDIR)$(SERVER_CONFIG_FILE)" ++ test -f "$(DESTDIR)$(SERVER_CONFIG_FILE)" || cp "$(top_srcdir)/conf/zabbix_server.conf" "$(DESTDIR)$(SERVER_CONFIG_FILE)" +--- zabbix-7.0.3/configure.ac.out-of-tree 2024-08-19 14:38:13.426482392 -0600 ++++ zabbix-7.0.3/configure.ac 2024-08-19 14:40:30.842129965 -0600 +@@ -24,7 +24,7 @@ + + AC_CONFIG_HEADERS(include/common/config.h) + +-AC_SUBST(DEFAULT_INCLUDES, ['-I$(top_srcdir)/include/common -I$(top_srcdir)/include']) ++AC_SUBST(DEFAULT_INCLUDES, ['-I$(top_builddir)/include/common -I$(top_srcdir)/include/common -I$(top_srcdir)/include']) + + AC_CANONICAL_HOST + diff --git a/zabbix-php-fpm.conf b/zabbix-php-fpm.conf new file mode 100644 index 0000000..fa38188 --- /dev/null +++ b/zabbix-php-fpm.conf @@ -0,0 +1,24 @@ +[zabbix] +user = apache +group = apache + +listen = /run/php-fpm/zabbix.sock +listen.acl_users = apache,nginx +listen.allowed_clients = 127.0.0.1 + +pm = dynamic +pm.max_children = 50 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 35 + +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/session + +php_value[max_execution_time] = 300 +php_value[memory_limit] = 128M +php_value[post_max_size] = 16M +php_value[upload_max_filesize] = 2M +php_value[max_input_time] = 300 +php_value[max_input_vars] = 10000 +; php_value[date.timezone] = Europe/Riga diff --git a/zabbix-proxy-mysql.service b/zabbix-proxy-mysql.service new file mode 100644 index 0000000..ac9fad0 --- /dev/null +++ b/zabbix-proxy-mysql.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix MySQL Proxy +After=syslog.target network.target mysqld.service + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_proxy -f +User=zabbixsrv + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-proxy-pgsql.service b/zabbix-proxy-pgsql.service new file mode 100644 index 0000000..f31cbac --- /dev/null +++ b/zabbix-proxy-pgsql.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix PostgreSQL Proxy +After=syslog.target network.target postgresql.service + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_proxy -f +User=zabbixsrv + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-proxy-sqlite3.service b/zabbix-proxy-sqlite3.service new file mode 100644 index 0000000..703d7cd --- /dev/null +++ b/zabbix-proxy-sqlite3.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix SQLite3 Proxy +After=syslog.target network.target + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_proxy -f +User=zabbixsrv + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-server-mysql.service b/zabbix-server-mysql.service new file mode 100644 index 0000000..d8d8a5a --- /dev/null +++ b/zabbix-server-mysql.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix Server with MySQL DB +After=syslog.target network.target mysqld.service + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_server -f +User=zabbixsrv + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-server-pgsql.service b/zabbix-server-pgsql.service new file mode 100644 index 0000000..182b7e1 --- /dev/null +++ b/zabbix-server-pgsql.service @@ -0,0 +1,11 @@ +[Unit] +Description=Zabbix Server with PostgreSQL DB +After=syslog.target network.target postgresql.service + +[Service] +Type=simple +ExecStart=/usr/sbin/zabbix_server -f +User=zabbixsrv + +[Install] +WantedBy=multi-user.target diff --git a/zabbix-tmpfiles-zabbix.conf b/zabbix-tmpfiles-zabbix.conf new file mode 100644 index 0000000..cce12dd --- /dev/null +++ b/zabbix-tmpfiles-zabbix.conf @@ -0,0 +1 @@ +D /run/zabbix 0755 zabbix zabbix - diff --git a/zabbix-tmpfiles-zabbixsrv.conf b/zabbix-tmpfiles-zabbixsrv.conf new file mode 100644 index 0000000..f3f4b90 --- /dev/null +++ b/zabbix-tmpfiles-zabbixsrv.conf @@ -0,0 +1 @@ +D /run/zabbixsrv 0755 zabbixsrv zabbixsrv - diff --git a/zabbix-web.conf b/zabbix-web.conf new file mode 100644 index 0000000..34c38b4 --- /dev/null +++ b/zabbix-web.conf @@ -0,0 +1,35 @@ +# +# Zabbix monitoring system php web frontend +# + +Alias /zabbix /usr/share/zabbix + +<Directory "/usr/share/zabbix"> + Options FollowSymLinks + AllowOverride None + Require all granted + + <IfModule dir_module> + DirectoryIndex index.php + </IfModule> + + <FilesMatch \.(php|phar)$> + SetHandler "proxy:unix:/run/php-fpm/zabbix.sock|fcgi://localhost" + </FilesMatch> +</Directory> + +<Directory "/usr/share/zabbix/conf"> + Require all denied +</Directory> + +<Directory "/usr/share/zabbix/app"> + Require all denied +</Directory> + +<Directory "/usr/share/zabbix/include"> + Require all denied +</Directory> + +<Directory "/usr/share/zabbix/local"> + Require all denied +</Directory> diff --git a/zabbix.fc b/zabbix.fc new file mode 100644 index 0000000..a1e3556 --- /dev/null +++ b/zabbix.fc @@ -0,0 +1,25 @@ +/etc/rc\.d/init\.d/(zabbix|zabbix-server) -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) +/etc/rc\.d/init\.d/zabbix-agentd -- gen_context(system_u:object_r:zabbix_agent_initrc_exec_t,s0) + +/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) + +/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) +/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) +/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + +/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) + +/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) +/var/lib/zabbixsrv/.*scripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0) +/var/lib/zabbixsrv/tmp(/.*)? gen_context(system_u:object_r:zabbix_tmp_t,s0) + +/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0) + +/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if new file mode 100644 index 0000000..7cf8202 --- /dev/null +++ b/zabbix.if @@ -0,0 +1,199 @@ +## <summary>Distributed infrastructure monitoring</summary> + +######################################## +## <summary> +## Execute a domain transition to run zabbix. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zabbix_domtrans',` + gen_require(` + type zabbix_t, zabbix_exec_t; + ') + + domtrans_pattern($1, zabbix_exec_t, zabbix_t) +') + +######################################## +## <summary> +## Execute a domain transition to run zabbix_script. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`zabbix_script_domtrans',` + gen_require(` + type zabbix_script_t, zabbix_script_exec_t; + ') + + domtrans_pattern($1, zabbix_script_exec_t, zabbix_script_t) +') + +######################################## +## <summary> +## Allow connectivity to the zabbix server +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_tcp_connect',` + gen_require(` + type zabbix_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) +') + +######################################## +## <summary> +## Allow the specified domain to read zabbix's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_read_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to read zabbix's tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_read_tmp',` + gen_require(` + type zabbix_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## zabbix log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_append_log',` + gen_require(` + type zabbix_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, zabbix_log_t, zabbix_log_t) +') + +######################################## +## <summary> +## Read zabbix PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_read_pid_files',` + gen_require(` + type zabbix_var_run_t; + ') + + files_search_pids($1) + allow $1 zabbix_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow connectivity to a zabbix agent +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`zabbix_agent_tcp_connect',` + gen_require(` + type zabbix_t, zabbix_agent_t; + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) + corenet_tcp_connect_zabbix_agent_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_agent_port($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an zabbix environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the zabbix domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`zabbix_admin',` + gen_require(` + type zabbix_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_initrc_exec_t; + ') + + allow $1 zabbix_t:process signal_perms; + ps_process_pattern($1, zabbix_t) + tunable_policy(`deny_ptrace',`',` + allow $1 zabbix_t:process ptrace; + ') + + init_labeled_script_domtrans($1, zabbix_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zabbix_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, zabbix_log_t) + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) +') diff --git a/zabbix.spec b/zabbix.spec new file mode 100644 index 0000000..25f400f --- /dev/null +++ b/zabbix.spec @@ -0,0 +1,836 @@ +# TODO, maybe sometime: +# * Allow for nginx? +# * Consider using systemd's ReadWriteDirectories + +#TODO: systemctl reload seems to be necessary after switching with Alternatives +#TODO: If the DB path for a Sqlite proxy is configured wrong, it requires systemctl restart. Start doesn't work. + +%global srcname zabbix +%global with_selinux 1 +%global selinuxtype targeted +# go is needed for agent2, but there are missing deps +%bcond_with go +# Missing dependencies for the java connector +%bcond_with java +#%%global prerelease rc2 + +Name: zabbix +Version: 7.0.5 +Release: 1 +Summary: Open-source monitoring solution for your IT infrastructure + +# TODO - Note additional licenses in src/go when we start building with go +# src/libs/zbxembed/duktape.c: MIT License +# src/libs/zbxembed/duktape.h: MIT License +# src/libs/zbxgetopt/getopt.c: GNU General Public License v2.0 or later +# src/libs/zbxhash/md5.c: zlib License +# ui/vendor/composer/LICENSE: MIT License +# ui/js/vendors/D3/LICENSE: ISC License +# ui/js/vendors/Leaflet/LICENSE: BSD 2-Clause License +# ui/js/vendors/Leaflet.markercluster/LICENSE: MIT License +# ui/js/vendors/jQueryUI/LICENSE: MIT License +# ui/js/vendors/qrcode/LICENSE: MIT License +# ui/vendor/duosecurity/duo_universal_php/LICENSE: BSD 3-Clause License +# ui/vendor/firebase/php-jwt/LICENSE: BSD 3-Clause License +# ui/vendor/onelogin/php-saml/LICENSE: MIT License +# ui/vendor/paragonie/constant_time_encoding/LICENSE.txt: MIT License +# ui/vendor/pragmarx/google2fa/LICENSE.md: MIT License +# ui/vendor/symfony/deprecation-contracts/LICENSE: MIT License +# ui/vendor/symfony/polyfill-ctype/LICENSE: MIT License +# ui/vendor/symfony/yaml/LICENSE: MIT License +# ui/assets/styles/vendors/Leaflet/LICENSE: BSD 2-Clause License +# ui/vendor/paragonie/constant_time_encoding/src/*.php: MIT License +License: AGPL-3.0-only AND MIT AND GPL-2.0-or-later AND Zlib AND BSD-3-Clause AND BSD-2-Clause AND ISC +URL: https://www.zabbix.com +Source0: https://cdn.zabbix.com/zabbix/sources/stable/7.0/zabbix-%{version}.tar.gz +Source1: %{srcname}-web.conf +Source2: %{srcname}-php-fpm.conf +Source5: %{srcname}-logrotate.in +Source9: %{srcname}-tmpfiles-zabbix.conf +# systemd units -- Alternatives switches between them (they state their dependencies) +# https://support.zabbix.com/browse/ZBXNEXT-1593 +Source10: %{srcname}-agent.service +Source11: %{srcname}-proxy-mysql.service +Source12: %{srcname}-proxy-pgsql.service +Source13: %{srcname}-proxy-sqlite3.service +Source14: %{srcname}-server-mysql.service +Source15: %{srcname}-server-pgsql.service +Source17: %{srcname}-tmpfiles-zabbixsrv.conf +Source18: %{srcname}.te +Source19: %{srcname}.if +Source20: %{srcname}.fc + +# This is not a symlink, because we don't want the webserver to possibly ever serve it. +# local rules for config files +Patch0: %{srcname}-config.patch +# Allow out-of-tree builds +# https://support.zabbix.com/browse/ZBXNEXT-6077 +Patch1: %{srcname}-out-of-tree.patch +# Enforce Fedora Crypto Policy +Patch2: %{srcname}-crypto-policy.patch +# Add <stdio> to sscanf check +# https://support.zabbix.com/browse/ZBX-21946 +Patch3: %{srcname}-configure-sscanf.patch + +# Patch1 patches automake files so we need to autoreconf +BuildRequires: libtool +BuildRequires: make +BuildRequires: mariadb-connector-c-devel +BuildRequires: libpq-devel +BuildRequires: sqlite-devel +BuildRequires: net-snmp-devel +BuildRequires: openldap-devel +BuildRequires: openssl-devel +BuildRequires: gnutls-devel +BuildRequires: unixODBC-devel +BuildRequires: curl-devel +BuildRequires: OpenIPMI-devel +BuildRequires: libssh2-devel +BuildRequires: libxml2-devel +BuildRequires: libevent-devel +BuildRequires: pcre2-devel +BuildRequires: gcc +# For Agent 2 - has missing deps +%if %{with go} +BuildRequires: gcc-go +#BuildRequires: golang(github.com/alimy/mc/v2) +BuildRequires: golang(github.com/docker/go-connections) +#BuildRequires: golang(github.com/dustin/gomemcached) +BuildRequires: golang(github.com/fsnotify/fsnotify) +BuildRequires: golang(github.com/go-ldap/ldap) +#BuildRequires: golang(github.com/go-ole/go-ole) +BuildRequires: golang(github.com/go-sql-driver/mysql) +BuildRequires: golang(github.com/godbus/dbus) +#BuildRequires: golang(github.com/jackc/pgx/v4) +BuildRequires: golang(github.com/mattn/go-sqlite3) +#BuildRequires: golang(github.com/mediocregopher/radix/v3) +#BuildRequires: golang(github.com/natefinch/npipe) +#BuildRequires: golang(github.com/testcontainers/testcontainers-go) +#BuildRequires: golang(golang.org/x/sys) +%endif +BuildRequires: systemd +# Needed to determine path to link to +BuildRequires: dejavu-sans-fonts + +Requires: logrotate + +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{srcname}-selinux if selinux-policy-%{selinuxtype}) +%endif + +Provides: bundled(md5-deutsch) +# Could alternatively be conditional on Fedora/EL +%if "x%{?srcname}" != "x%{name}" +Provides: %{srcname} = %{version}-%{release} +Conflicts: %{srcname} < 6.0 +%endif + +%description +Zabbix is software that monitors numerous parameters of a network and the +health and integrity of servers. Zabbix uses a flexible notification mechanism +that allows users to configure e-mail based alerts for virtually any event. +This allows a fast reaction to server problems. Zabbix offers excellent +reporting and data visualization features based on the stored data. +This makes Zabbix ideal for capacity planning. + +Zabbix supports both polling and trapping. All Zabbix reports and statistics, +as well as configuration parameters are accessed through a web-based front end. +A web-based front end ensures that the status of your network and the health of +your servers can be assessed from any location. Properly configured, Zabbix can +play an important role in monitoring IT infrastructure. This is equally true +for small organizations with a few servers and for large companies with a +multitude of servers. + +%package dbfiles-mysql +Summary: Zabbix database schemas, images, data and patches +BuildArch: noarch + +%description dbfiles-mysql +Zabbix database schemas, images, data and patches necessary for creating +and/or updating MySQL databases + +%package dbfiles-pgsql +Summary: Zabbix database schemas, images, data and patches +BuildArch: noarch + +%description dbfiles-pgsql +Zabbix database schemas, images, data and patches necessary for creating +and/or updating PostgreSQL databases + +%package dbfiles-sqlite3 +Summary: Zabbix database schemas and patches +BuildArch: noarch + +%description dbfiles-sqlite3 +Zabbix database schemas and patches necessary for creating +and/or updating SQLite databases + +%package server +Summary: Zabbix server common files +BuildArch: noarch +Requires: %{name} = %{version}-%{release} +Requires: %{name}-server-implementation = %{version}-%{release} +Requires: fping +Requires: traceroute +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description server +Zabbix server common files + +%package server-mysql +Summary: Zabbix server compiled to use MySQL +Requires: %{name} = %{version}-%{release} +Requires: %{name}-dbfiles-mysql +Requires: %{name}-server = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Provides: %{name}-server-implementation = %{version}-%{release} + +%description server-mysql +Zabbix server compiled to use MySQL + +%package server-pgsql +Summary: Zabbix server compiled to use PostgreSQL +Requires: %{name} = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-dbfiles-pgsql +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Provides: %{name}-server-implementation = %{version}-%{release} + +%description server-pgsql +Zabbix server compiled to use PostgreSQL + +%package agent +Summary: Zabbix agent +Requires: %{name} = %{version}-%{release} +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description agent +Zabbix agent, to be installed on monitored systems + +%package proxy +Summary: Zabbix proxy common files +BuildArch: noarch +Requires: %{name} = %{version}-%{release} +Requires: %{name}-proxy-implementation = %{version}-%{release} +Requires(pre): shadow-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: fping + +%description proxy +Zabbix proxy commmon files + +%package proxy-mysql +Summary: Zabbix proxy compiled to use MySQL +Requires: %{name}-proxy = %{version}-%{release} +Requires: %{name}-dbfiles-mysql +Provides: %{name}-proxy-implementation = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description proxy-mysql +Zabbix proxy compiled to use MySQL + +%package proxy-pgsql +Summary: Zabbix proxy compiled to use PostgreSQL +Requires: %{name}-proxy = %{version}-%{release} +Requires: %{name}-dbfiles-pgsql +Provides: %{name}-proxy-implementation = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description proxy-pgsql +Zabbix proxy compiled to use PostgreSQL + +%package proxy-sqlite3 +Summary: Zabbix proxy compiled to use SQLite +Requires: %{name}-proxy = %{version}-%{release} +Requires: %{name}-dbfiles-sqlite3 +Provides: %{name}-proxy-implementation = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description proxy-sqlite3 +Zabbix proxy compiled to use SQLite + +%package web +Summary: Zabbix Web Frontend +BuildArch: noarch +Requires: php-bcmath +Requires: php-fpm +Requires: php-gd +Requires: php-gettext +Requires: php-json +Requires: php-ldap +Requires: php-mbstring +Requires: php-xml +# jquery 3.6.0 and jquery-ui 1.13.2 in the sources +Requires: js-jquery >= 3.6.0 +Provides: bundled(js-jquery-ui) = 1.13.2 +# prototype 1.6.1 in the sources, Fedora package is dead +#Requires: prototype +Requires: dejavu-sans-fonts +Requires: %{name} = %{version}-%{release} +Requires: %{name}-web-database = %{version}-%{release} + +%description web +The php frontend to display the Zabbix web interface. + +%package web-mysql +Summary: Zabbix web frontend for MySQL +BuildArch: noarch +Requires: %{name}-web = %{version}-%{release} +Requires: php-mysqli +Provides: %{name}-web-database = %{version}-%{release} + +%description web-mysql +Zabbix web frontend for MySQL + +%package web-pgsql +Summary: Zabbix web frontend for PostgreSQL +BuildArch: noarch +Requires: %{name}-web = %{version}-%{release} +Requires: php-pgsql +Provides: %{name}-web-database = %{version}-%{release} + +%description web-pgsql +Zabbix web frontend for PostgreSQL + +%if %{with java} +%package -n java-%{srcname} +Summary: Zabbix Java connector +BuildArch: noarch +BuildRequires: java-devel +BuildRequires: osgi(org.junit) +BuildRequires: osgi(slf4j.api) +BuildRequires: osgi(logback) + +%description -n java-%{srcname} +Zabbix Java connector. +%endif + +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: Zabbix SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Custom SELinux policy module +%endif + + +%prep +%autosetup -p1 +autoreconf + +# Remove bundled java libs +find -name \*.jar -delete + +# Remove prebuilt Windows binaries +rm -rf bin + +# Override creation of statically named directory for alertscripts and externalscripts +# https://support.zabbix.com/browse/ZBX-6159 +sed -i '/CURL_SSL_.*_LOCATION\|SCRIPTS_PATH/s|\${datadir}/zabbix|/var/lib/zabbixsrv|' \ + configure + +# Kill off .htaccess files, options set in SOURCE1 +find -name .htaccess -delete + +# Fix path to traceroute utility (on all Linux targets) +find database -name 'data.sql' -exec sed -i 's|/usr/bin/traceroute|/bin/traceroute|' {} \; + +# Common +# Settings with hard-coded defaults that are not suitable for Fedora +# are explicitly set, leaving the comment with the default value in place. +# Settings without hard-coded defaults are simply replaced -- be they +# comments or explicit settings! + +# Also replace the datadir placeholder that is not expanded, but effective +sed -i \ + -e '\|^# LogFileSize=.*|a LogFileSize=0' \ + -e 's|^DBUser=root|DBUser=zabbix|' \ + -e 's|^# DBSocket=.*|DBSocket=%{_sharedstatedir}/mysql/mysql.sock|' \ + -e '\|^# ExternalScripts=|a ExternalScripts=%{_sharedstatedir}/zabbixsrv/externalscripts' \ + -e '\|^# AlertScriptsPath=|a AlertScriptsPath=%{_sharedstatedir}/zabbixsrv/alertscripts' \ + -e '\|^# TmpDir=\/tmp|a TmpDir=%{_sharedstatedir}/zabbixsrv/tmp' \ + -e 's|/usr/local||' \ + -e 's|\${datadir}|/usr/share|' \ + conf/zabbix_agentd.conf conf/zabbix_proxy.conf conf/zabbix_server.conf + +# Specific +sed -i \ + -e '\|^# PidFile=.*|a PidFile=%{_rundir}/zabbix/zabbix_agentd.pid' \ + -e 's|^LogFile=.*|LogFile=%{_localstatedir}/log/zabbix/zabbix_agentd.log|' \ + conf/zabbix_agentd.conf + +sed -i \ + -e '\|^# PidFile=.*|a PidFile=%{_rundir}/zabbixsrv/zabbix_proxy.pid' \ + -e 's|^LogFile=.*|LogFile=%{_localstatedir}/log/zabbixsrv/zabbix_proxy.log|' \ + conf/zabbix_proxy.conf + +sed -i \ + -e '\|^# PidFile=.*|a PidFile=%{_rundir}/zabbixsrv/zabbix_server.pid' \ + -e 's|^LogFile=.*|LogFile=%{_localstatedir}/log/zabbixsrv/zabbix_server.log|' \ + conf/zabbix_server.conf + +%build + +common_flags=" + --enable-dependency-tracking + --enable-proxy + --enable-ipv6 + --with-net-snmp + --with-ldap + --with-libcurl + --with-openipmi + --with-unixodbc + --with-ssh2 + --with-libxml2 + --with-libevent + --with-libpcre2 + --with-openssl +" +# Setup out of tree builds +%global _configure ../configure + +%if %{with java} +export CLASSPATH=$(build-classpath junit slf4j-api logback-core logback-classic android-json) +%endif + +# Frontend doesn't work for SQLite, thus don't build server +mkdir -p build-frontend +cd build-frontend +%configure $common_flags --enable-agent --with-sqlite3 %{?with_go:--enable-agent2} %{?with_java:--enable-java} +%make_build +cd - + +mkdir -p build-server-mysql +cd build-server-mysql +%configure $common_flags --with-mysql --enable-server +%make_build +cd - + +mkdir -p build-server-postgresql +cd build-server-postgresql +%configure $common_flags --with-postgresql --enable-server +%make_build +cd - + +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +mkdir selinux +cp -p %{SOURCE18} selinux/ +cp -p %{SOURCE19} selinux/ +cp -p %{SOURCE20} selinux/ + +make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp +bzip2 -9 %{srcname}.pp +%endif + + +%install +# Install binaries +%make_install -C build-frontend +mv $RPM_BUILD_ROOT%{_sbindir}/zabbix_proxy{,_sqlite3} +%make_install -C build-server-mysql +mv $RPM_BUILD_ROOT%{_sbindir}/zabbix_proxy{,_mysql} +mv $RPM_BUILD_ROOT%{_sbindir}/zabbix_server{,_mysql} +%make_install -C build-server-postgresql +mv $RPM_BUILD_ROOT%{_sbindir}/zabbix_proxy{,_pgsql} +mv $RPM_BUILD_ROOT%{_sbindir}/zabbix_server{,_pgsql} + +# Ghosted alternatives +touch $RPM_BUILD_ROOT%{_sbindir}/zabbix_{proxy,server} + +# Home directory for the agent; +# The other home directory is created during installation +mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/zabbix + +# Log directories +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/zabbix +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/zabbixsrv + +# systemd tmpfiles +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d +install -m 0644 -p %{SOURCE9} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/zabbix.conf +install -m 0644 -p %{SOURCE17} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/zabbixsrv.conf +mkdir -p $RPM_BUILD_ROOT%{_rundir} +install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/zabbix/ +install -d -m 0755 $RPM_BUILD_ROOT%{_rundir}/zabbixsrv/ + +# Install the frontend after removing backup files from patching +find ui -name '*.orig' -delete +mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{srcname} +cp -a ui/* $RPM_BUILD_ROOT%{_datadir}/%{srcname}/ + +# Prepare ghosted config file +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/%{srcname}/web +touch $RPM_BUILD_ROOT%{_sysconfdir}/%{srcname}/web/zabbix.conf.php + +# Replace bundled font +[ -d %{_fontbasedir}/dejavu ] && + ln -sf ../../../fonts/dejavu/DejaVuSans.ttf $RPM_BUILD_ROOT%{_datadir}/%{srcname}/assets/fonts/ +[ -d %{_fontbasedir}/dejavu-sans-fonts ] && + ln -sf ../../../fonts/dejavu-sans-fonts/DejaVuSans.ttf $RPM_BUILD_ROOT%{_datadir}/%{srcname}/assets/fonts/ + +# Replace JS libraries +# There is no jquery-ui package yet +ln -sf ../../../javascript/jquery/3/jquery.min.js $RPM_BUILD_ROOT%{_datadir}/%{srcname}/js/vendors/jquery.js +#ln -sf ../../../javascript/jquery-ui/1/jquery-ui.min.js $RPM_BUILD_ROOT%{_datadir}/%{srcname}/js/vendors/jquery-ui.js + +# This file is used to switch the frontend to maintenance mode +mv $RPM_BUILD_ROOT%{_datadir}/%{srcname}/conf/maintenance.inc.php $RPM_BUILD_ROOT%{_sysconfdir}/%{srcname}/web/maintenance.inc.php || : + +# Drop Apache config file in place +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d +install -m 0644 -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/%{srcname}.conf + +# Drop php-fpm config file in place +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d +install -m 0644 -p %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/php-fpm.d/%{srcname}.conf + +# Install log rotation +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +sed -e 's|COMPONENT|agentd|g; s|USER|zabbix|g' %{SOURCE5} > \ + $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/zabbix-agent +sed -e 's|COMPONENT|server|g; s|USER|zabbixsrv|g' %{SOURCE5} > \ + $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/zabbix-server +sed -e 's|COMPONENT|proxy|g; s|USER|zabbixsrv|g' %{SOURCE5} > \ + $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/zabbix-proxy + +# Install different systemd units because of the requirements for DBMS daemons +mkdir -p $RPM_BUILD_ROOT%{_unitdir} +install -m 0644 -p %{SOURCE10} $RPM_BUILD_ROOT%{_unitdir}/zabbix-agent.service +install -m 0644 -p %{SOURCE11} $RPM_BUILD_ROOT%{_unitdir}/zabbix-proxy-mysql.service +install -m 0644 -p %{SOURCE12} $RPM_BUILD_ROOT%{_unitdir}/zabbix-proxy-pgsql.service +install -m 0644 -p %{SOURCE13} $RPM_BUILD_ROOT%{_unitdir}/zabbix-proxy-sqlite3.service +install -m 0644 -p %{SOURCE14} $RPM_BUILD_ROOT%{_unitdir}/zabbix-server-mysql.service +install -m 0644 -p %{SOURCE15} $RPM_BUILD_ROOT%{_unitdir}/zabbix-server-pgsql.service + +# Ghosted alternatives +touch $RPM_BUILD_ROOT%{_unitdir}/zabbix-server.service +touch $RPM_BUILD_ROOT%{_unitdir}/zabbix-proxy.service + +# Directory for fping spooling files +mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/zabbixsrv/tmp + +# Install sql files +for db in postgresql mysql; do + mkdir $RPM_BUILD_ROOT%{_datadir}/%{srcname}-$db + cp -p database/$db/*.sql $RPM_BUILD_ROOT%{_datadir}/%{srcname}-$db +done + +install -dm 755 $RPM_BUILD_ROOT%{_datadir}/%{srcname}-sqlite3 +cp -p database/sqlite3/schema.sql $RPM_BUILD_ROOT%{_datadir}/%{srcname}-sqlite3 + +%if 0%{?with_selinux} +install -D -m 0644 %{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -p -m 0644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + + +%post server +%systemd_post zabbix-server.service + +if [ $1 -gt 1 ] ; then + # Apply permissions also in *.rpmnew upgrades from old permissive ones + chmod 0640 %{_sysconfdir}/zabbix_server.conf + chown root:zabbixsrv %{_sysconfdir}/zabbix_server.conf +fi +: + +%post server-mysql +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_server \ + %{srcname}-server %{_sbindir}/%{srcname}_server_mysql 10 \ + --slave %{_unitdir}/zabbix-server.service %{srcname}-server.service \ + %{_unitdir}/zabbix-server-mysql.service +# This needs to be run twice to rename from old slave name in zabbix < 6.0.33-2 +# due to a bug in alternatives. Remove in F45 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_server \ + %{srcname}-server %{_sbindir}/%{srcname}_server_mysql 10 \ + --slave %{_unitdir}/zabbix-server.service %{srcname}-server.service \ + %{_unitdir}/zabbix-server-mysql.service + +%post server-pgsql +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_server \ + %{srcname}-server %{_sbindir}/%{srcname}_server_pgsql 10 \ + --slave %{_unitdir}/zabbix-server.service %{srcname}-server.service \ + %{_unitdir}/zabbix-server-pgsql.service +# This needs to be run twice to rename from old slave name in zabbix < 6.0.33-2 +# due to a bug in alternatives. Remove in F45 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_server \ + %{srcname}-server %{_sbindir}/%{srcname}_server_pgsql 10 \ + --slave %{_unitdir}/zabbix-server.service %{srcname}-server.service \ + %{_unitdir}/zabbix-server-pgsql.service + +%post proxy +%systemd_post zabbix-proxy.service + +if [ $1 -gt 1 ] ; then + # Apply permissions also in *.rpmnew upgrades from old permissive ones + chmod 0640 %{_sysconfdir}/zabbix_proxy.conf + chown root:zabbixsrv %{_sysconfdir}/zabbix_proxy.conf +fi +: + +%post proxy-mysql +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_mysql 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-mysql.service +# This needs to be run twice to rename from old slave name in zabbix < 6.0.33-2 +# due to a bug in alternatives. Remove in F45 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_mysql 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-mysql.service + +%post proxy-pgsql +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_pgsql 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-pgsql.service +# This needs to be run twice to rename from old slave name in zabbix < 6.0.33-2 +# due to a bug in alternatives. Remove in F45 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_pgsql 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-pgsql.service + +%post proxy-sqlite3 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_sqlite3 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-sqlite3.service +# This needs to be run twice to rename from old slave name in zabbix < 6.0.33-2 +# due to a bug in alternatives. Remove in F45 +%{_sbindir}/update-alternatives --install %{_sbindir}/%{srcname}_proxy \ + %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_sqlite3 10 \ + --slave %{_unitdir}/zabbix-proxy.service %{srcname}-proxy.service \ + %{_unitdir}/zabbix-proxy-sqlite3.service + +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +%endif + +%pre agent +getent group zabbix > /dev/null || groupadd -r zabbix +getent passwd zabbix > /dev/null || \ + useradd -r -g zabbix -d %{_sharedstatedir}/zabbix -s /sbin/nologin \ + -c "Zabbix Monitoring System" zabbix +: + +%post agent +%systemd_post zabbix-agent.service + +%pre server +getent group zabbixsrv > /dev/null || groupadd -r zabbixsrv +# The zabbixsrv group is introduced by 2.2 packaging +# The zabbixsrv user was a member of the zabbix group in 2.0 +if getent passwd zabbixsrv > /dev/null; then + if [[ $(id -gn zabbixsrv) == "zabbix" ]]; then + usermod -c "Zabbix Monitoring System -- Proxy or server" -g zabbixsrv zabbixsrv + fi +else + useradd -r -g zabbixsrv -d %{_sharedstatedir}/zabbixsrv -s /sbin/nologin \ + -c "Zabbix Monitoring System -- Proxy or server" zabbixsrv +fi +: + +%preun server + %systemd_preun zabbix-server.service + +%pre proxy +getent group zabbixsrv > /dev/null || groupadd -r zabbixsrv +# The zabbixsrv group is introduced by 2.2 packaging +# The zabbixsrv user was a member of the zabbix group in 2.0 +if getent passwd zabbixsrv > /dev/null; then + if [[ $(id -gn zabbixsrv) == "zabbix" ]]; then + usermod -c "Zabbix Monitoring System -- Proxy or server" -g zabbixsrv zabbixsrv + fi +else + useradd -r -g zabbixsrv -d %{_sharedstatedir}/zabbixsrv -s /sbin/nologin \ + -c "Zabbix Monitoring System -- Proxy or server" zabbixsrv +fi +: + +%preun proxy +%systemd_preun zabbix-proxy.service + +%preun agent +%systemd_preun zabbix-agent.service + +%postun server +%systemd_postun_with_restart zabbix-server.service + +%postun server-mysql +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove %{srcname}-server %{_sbindir}/%{srcname}_server_mysql +fi + +%postun server-pgsql +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove %{srcname}-server %{_sbindir}/%{srcname}_server_pgsql +fi + +%postun proxy +%systemd_postun_with_restart zabbix-proxy.service + +%postun proxy-mysql +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_mysql +fi + +%postun proxy-pgsql +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_pgsql +fi + +%postun proxy-sqlite3 +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove %{srcname}-proxy %{_sbindir}/%{srcname}_proxy_sqlite3 +fi + +%postun agent +%systemd_postun_with_restart zabbix-agent.service + + +%files +%license COPYING +%doc AUTHORS ChangeLog NEWS README +%dir %{_sysconfdir}/%{srcname} +%config(noreplace) %{_sysconfdir}/zabbix_agentd.conf +%{_bindir}/zabbix_get +%{_bindir}/zabbix_js +%{_bindir}/zabbix_sender +%{_mandir}/man1/zabbix_get.1* +%{_mandir}/man1/zabbix_sender.1* + +%files dbfiles-mysql +%license COPYING +%{_datadir}/%{srcname}-mysql/ + +%files dbfiles-pgsql +%license COPYING +%{_datadir}/%{srcname}-postgresql/ + +%files dbfiles-sqlite3 +%license COPYING +%{_datadir}/%{srcname}-sqlite3/ + +%files server +%doc misc/snmptrap/zabbix_trap_receiver.pl +%attr(0755,zabbixsrv,zabbixsrv) %dir %{_rundir}/zabbixsrv/ +%{_prefix}/lib/tmpfiles.d/zabbixsrv.conf +%attr(0640,root,zabbixsrv) %config(noreplace) %{_sysconfdir}/zabbix_server.conf +%attr(0775,root,zabbixsrv) %dir %{_localstatedir}/log/zabbixsrv +%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-server +%ghost %{_sbindir}/zabbix_server +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/tmp +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/alertscripts +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/externalscripts +%ghost %{_unitdir}/zabbix-server.service +%{_mandir}/man8/zabbix_server.8* + +%files server-mysql +%{_sbindir}/zabbix_server_mysql +%{_unitdir}/zabbix-server-mysql.service + +%files server-pgsql +%{_sbindir}/zabbix_server_pgsql +%{_unitdir}/zabbix-server-pgsql.service + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + +%files agent +%doc conf/zabbix_agentd/*.conf +%attr(0755,zabbix,zabbix) %dir %{_rundir}/zabbix/ +%{_prefix}/lib/tmpfiles.d/zabbix.conf +%attr(0775,root,zabbix) %dir %{_localstatedir}/log/zabbix +%config(noreplace) %{_sysconfdir}/zabbix_agentd.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-agent +%attr(750,zabbix,zabbix) %dir %{_sharedstatedir}/zabbix +%{_unitdir}/zabbix-agent.service +%{_sbindir}/zabbix_agentd +%{_mandir}/man8/zabbix_agentd.8* + +%files proxy +%doc misc/snmptrap/zabbix_trap_receiver.pl +%attr(0755,zabbixsrv,zabbixsrv) %dir %{_rundir}/zabbixsrv/ +%{_prefix}/lib/tmpfiles.d/zabbixsrv.conf +%attr(0640,root,zabbixsrv) %config(noreplace) %{_sysconfdir}/zabbix_proxy.conf +%attr(0775,root,zabbixsrv) %dir %{_localstatedir}/log/zabbixsrv +%config(noreplace) %{_sysconfdir}/logrotate.d/zabbix-proxy +%ghost %{_sbindir}/zabbix_proxy +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/tmp +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/alertscripts +%attr(0750,zabbixsrv,zabbixsrv) %dir %{_sharedstatedir}/zabbixsrv/externalscripts +%ghost %{_unitdir}/zabbix-proxy.service +%{_mandir}/man8/zabbix_proxy.8* + +%files proxy-mysql +%{_sbindir}/zabbix_proxy_mysql +%{_unitdir}/zabbix-proxy-mysql.service + +%files proxy-pgsql +%{_sbindir}/zabbix_proxy_pgsql +%{_unitdir}/zabbix-proxy-pgsql.service + +%files proxy-sqlite3 +%{_sbindir}/zabbix_proxy_sqlite3 +%{_unitdir}/zabbix-proxy-sqlite3.service + +%files web +%dir %attr(0750,apache,apache) %{_sysconfdir}/%{srcname}/web +%ghost %attr(0644,apache,apache) %config(noreplace) %{_sysconfdir}/%{srcname}/web/zabbix.conf.php +%attr(0644,apache,apache) %config(noreplace) %{_sysconfdir}/%{srcname}/web/maintenance.inc.php +%config(noreplace) %{_sysconfdir}/httpd/conf.d/zabbix.conf +%config(noreplace) %{_sysconfdir}/php-fpm.d/zabbix.conf +%{_datadir}/%{srcname}/ + +%files web-mysql + +%files web-pgsql + +%changelog +* Wed Oct 23 2024 Funda Wang <fundawang@yeah.net> - 7.0.5-1 +- about to 7.x diff --git a/zabbix.te b/zabbix.te new file mode 100644 index 0000000..4ff1bb7 --- /dev/null +++ b/zabbix.te @@ -0,0 +1,374 @@ +policy_module(zabbix, 1.7.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Determine whether zabbix can +## connect to all TCP ports +## </p> +## </desc> +gen_tunable(zabbix_can_network, false) + + +## <desc> +## <p> +## Allow Zabbix to run su/sudo. +## </p> +## </desc> +gen_tunable(zabbix_run_sudo, false) + +gen_require(` + class passwd rootok; + class passwd passwd; +') + +attribute zabbix_domain; + +type zabbix_t, zabbix_domain; +type zabbix_exec_t; +init_daemon_domain(zabbix_t, zabbix_exec_t) + +type zabbix_initrc_exec_t; +init_script_file(zabbix_initrc_exec_t) + +type zabbix_agent_t, zabbix_domain; +type zabbix_agent_exec_t; +init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) + +type zabbix_agent_initrc_exec_t; +init_script_file(zabbix_agent_initrc_exec_t) + +type zabbixd_var_lib_t; +files_type(zabbixd_var_lib_t) + +type zabbix_log_t; +logging_log_file(zabbix_log_t) + +type zabbix_tmp_t; +files_tmp_file(zabbix_tmp_t) + +type zabbix_tmpfs_t; +files_tmpfs_file(zabbix_tmpfs_t) + +type zabbix_var_lib_t; +files_type(zabbix_var_lib_t) + +type zabbix_var_run_t; +files_pid_file(zabbix_var_run_t) + +type zabbix_script_t; +type zabbix_script_exec_t; +domain_type(zabbix_script_t) +domain_entry_file(zabbix_script_t, zabbix_script_exec_t) +application_executable_file(zabbix_script_exec_t) +role system_r types zabbix_script_t; + +######################################## +# +# zabbix domain local policy +# + +allow zabbix_domain self:capability { setgid setuid }; +allow zabbix_domain self:process { getsched setpgid setsched signal_perms }; +allow zabbix_domain self:fifo_file rw_fifo_file_perms; +allow zabbix_domain self:sem create_sem_perms; +allow zabbix_domain self:shm create_shm_perms; +allow zabbix_domain self:tcp_socket { accept listen }; +allow zabbix_domain self:unix_stream_socket create_stream_socket_perms; + +kernel_read_all_sysctls(zabbix_domain) +kernel_read_network_state(zabbix_domain) + +corenet_tcp_sendrecv_generic_if(zabbix_domain) +corenet_tcp_sendrecv_generic_node(zabbix_domain) +corenet_tcp_bind_generic_node(zabbix_domain) + +corecmd_exec_shell(zabbix_domain) +corecmd_exec_bin(zabbix_domain) + +dev_read_sysfs(zabbix_domain) +dev_read_urand(zabbix_domain) + +######################################## +# +# Local policy +# + +allow zabbix_t self:capability { dac_read_search }; +allow zabbix_t self:process { setrlimit }; +allow zabbix_t self:unix_stream_socket connectto; + +manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_sock_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") + +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file }) + +manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +manage_sock_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) +files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file sock_file }) + +rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) + +manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +manage_sock_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file sock_file }) + +kernel_read_system_state(zabbix_t) + +corenet_all_recvfrom_unlabeled(zabbix_t) +corenet_all_recvfrom_netlabel(zabbix_t) + +corenet_sendrecv_ftp_client_packets(zabbix_t) +corenet_tcp_connect_ftp_port(zabbix_t) +corenet_tcp_sendrecv_ftp_port(zabbix_t) + +corenet_sendrecv_http_client_packets(zabbix_t) +corenet_tcp_connect_http_port(zabbix_t) +corenet_tcp_sendrecv_http_port(zabbix_t) +corenet_tcp_connect_smtp_port(zabbix_t) + +corenet_sendrecv_zabbix_server_packets(zabbix_t) +corenet_tcp_bind_zabbix_port(zabbix_t) +corenet_tcp_sendrecv_zabbix_port(zabbix_t) + +auth_use_nsswitch(zabbix_t) + +zabbix_agent_tcp_connect(zabbix_t) + +logging_send_syslog_msg(zabbix_t) + +tunable_policy(`zabbix_can_network',` + corenet_sendrecv_all_client_packets(zabbix_t) + corenet_tcp_connect_all_ports(zabbix_t) + corenet_tcp_sendrecv_all_ports(zabbix_t) +') + +tunable_policy(`zabbix_run_sudo',` + allow zabbix_t self:capability { setgid setuid sys_resource }; + allow zabbix_t self:process { setrlimit setsched }; + allow zabbix_t self:key write; + allow zabbix_t self:passwd { passwd rootok }; + + auth_rw_lastlog(zabbix_t) + auth_rw_faillog(zabbix_t) + auth_exec_chkpwd(zabbix_t) + + selinux_compute_access_vector(zabbix_t) + + systemd_write_inherited_logind_sessions_pipes(zabbix_t) + systemd_dbus_chat_logind(zabbix_t) + + xserver_exec_xauth(zabbix_t) +') + +optional_policy(` + tunable_policy(`zabbix_run_sudo',` + sudo_exec(zabbix_t) + su_exec(zabbix_t) + ') +') + +optional_policy(` + mysql_stream_connect(zabbix_t) +') + +optional_policy(` + netutils_domtrans_ping(zabbix_t) +') + +optional_policy(` + postgresql_stream_connect(zabbix_t) + postgresql_tcp_connect(zabbix_t) +') + +optional_policy(` + snmp_read_snmp_var_lib_files(zabbix_t) + snmp_read_snmp_var_lib_dirs(zabbix_t) +') + +######################################## +# +# Agent local policy +# + +allow zabbix_agent_t self:process { setrlimit }; + +manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) + +rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) +fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) + +manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) +files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) + +kernel_read_system_state(zabbix_agent_t) +kernel_read_network_state(zabbix_agent_t) + +corenet_all_recvfrom_unlabeled(zabbix_agent_t) +corenet_all_recvfrom_netlabel(zabbix_agent_t) + +corecmd_read_all_executables(zabbix_agent_t) + +corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) +corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) +corenet_tcp_sendrecv_zabbix_agent_port(zabbix_agent_t) + +corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +corenet_tcp_connect_ssh_port(zabbix_agent_t) +corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) + +corenet_sendrecv_ftp_client_packets(zabbix_agent_t) +corenet_tcp_connect_ftp_port(zabbix_agent_t) +corenet_tcp_sendrecv_ftp_port(zabbix_agent_t) + +corenet_sendrecv_http_client_packets(zabbix_agent_t) +corenet_tcp_connect_http_port(zabbix_agent_t) +corenet_tcp_sendrecv_http_port(zabbix_agent_t) + +corenet_sendrecv_innd_client_packets(zabbix_agent_t) +corenet_tcp_connect_innd_port(zabbix_agent_t) +corenet_tcp_sendrecv_innd_port(zabbix_agent_t) + +corenet_sendrecv_pop_client_packets(zabbix_agent_t) +corenet_tcp_connect_pop_port(zabbix_agent_t) +corenet_tcp_sendrecv_pop_port(zabbix_agent_t) + +corenet_sendrecv_postgresql_client_packets(zabbix_agent_t) +corenet_tcp_connect_postgresql_port(zabbix_agent_t) +corenet_tcp_sendrecv_postgresql_port(zabbix_agent_t) + +corenet_sendrecv_smtp_client_packets(zabbix_agent_t) +corenet_tcp_connect_smtp_port(zabbix_agent_t) +corenet_tcp_sendrecv_smtp_port(zabbix_agent_t) + +corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) +corenet_tcp_connect_zabbix_port(zabbix_agent_t) +corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) + +corenet_tcp_connect_redis_port(zabbix_agent_t) +corenet_tcp_sendrecv_redis_port(zabbix_agent_t) + +dev_getattr_all_blk_files(zabbix_agent_t) +dev_getattr_all_chr_files(zabbix_agent_t) + +domain_read_all_domains_state(zabbix_agent_t) + +files_getattr_all_dirs(zabbix_agent_t) +files_getattr_all_files(zabbix_agent_t) +files_read_all_symlinks(zabbix_agent_t) + +fs_getattr_all_fs(zabbix_agent_t) + +auth_use_nsswitch(zabbix_agent_t) + +init_read_utmp(zabbix_agent_t) + +logging_search_logs(zabbix_agent_t) + +sysnet_dns_name_resolve(zabbix_agent_t) + +zabbix_tcp_connect(zabbix_agent_t) + +zabbix_script_domtrans(zabbix_agent_t) + +# These are triggered by vfs.dev.discovery enumerating everyting in /dev +gen_require(` + type devlog_t; +') +dontaudit zabbix_agent_t devlog_t:sock_file getattr; +init_dontaudit_getattr_initctl(zabbix_agent_t) +kernel_dontaudit_getattr_core_if(zabbix_agent_t) + +gen_require(` + type kernel_t, sudo_log_t; +') +tunable_policy(`zabbix_run_sudo',` + allow zabbix_agent_t self:capability { chown dac_read_search setgid setuid sys_resource }; + allow zabbix_agent_t self:process { setrlimit setsched }; + allow zabbix_agent_t self:key write; + allow zabbix_agent_t self:passwd { passwd rootok }; + + allow zabbix_agent_t sudo_log_t:dir { add_name create setattr write }; + allow zabbix_agent_t sudo_log_t:file { create open read setattr write }; + + allow zabbix_agent_t devlog_t:sock_file write; + allow zabbix_agent_t kernel_t:unix_dgram_socket sendto; + allow zabbix_agent_t self:unix_dgram_socket { connect create }; + + auth_domtrans_chkpwd(zabbix_agent_t) + auth_rw_lastlog(zabbix_agent_t) + auth_rw_faillog(zabbix_agent_t) + + logging_send_audit_msgs(zabbix_agent_t) + + selinux_compute_access_vector(zabbix_agent_t) + + sssd_read_config(zabbix_agent_t) + + systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t) + systemd_dbus_chat_logind(zabbix_agent_t) + + xserver_exec_xauth(zabbix_agent_t) + + # Conceivably this could be under a separate boolean, but the reason to allow sudo + # is to allow check like this + lvm_domtrans(zabbix_agent_t) +') + +optional_policy(` + rpm_exec(zabbix_agent_t) + rpm_read_db(zabbix_agent_t) +') + +optional_policy(` + tunable_policy(`zabbix_run_sudo',` + sudo_exec(zabbix_agent_t) + su_exec(zabbix_agent_t) + ') +') + +optional_policy(` + dmidecode_domtrans(zabbix_agent_t) +') + +optional_policy(` + hostname_exec(zabbix_agent_t) +') + +######################################## +# +# zabbix_script_t local policy +# + +domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t) + +allow zabbix_t zabbix_script_exec_t:dir list_dir_perms; +allow zabbix_t zabbix_script_exec_t:file ioctl; +allow zabbix_t zabbix_script_t:process signal; + +init_domtrans_script(zabbix_script_t) + +optional_policy(` + chronyd_domtrans_chronyc(zabbix_script_t) +') + +optional_policy(` + mta_send_mail(zabbix_script_t) +') + +optional_policy(` + unconfined_domain(zabbix_script_t) +') |