diff options
Diffstat (limited to 'zabbix.te')
| -rw-r--r-- | zabbix.te | 32 |
1 files changed, 29 insertions, 3 deletions
@@ -1,4 +1,4 @@ -policy_module(zabbix, 1.6.0) +policy_module(zabbix, 1.7.0) ######################################## # @@ -284,22 +284,48 @@ zabbix_tcp_connect(zabbix_agent_t) zabbix_script_domtrans(zabbix_agent_t) +# These are triggered by vfs.dev.discovery enumerating everyting in /dev +gen_require(` + type devlog_t; +') +dontaudit zabbix_agent_t devlog_t:sock_file getattr; +init_dontaudit_getattr_initctl(zabbix_agent_t) +kernel_dontaudit_getattr_core_if(zabbix_agent_t) + +gen_require(` + type kernel_t, sudo_log_t; +') tunable_policy(`zabbix_run_sudo',` - allow zabbix_agent_t self:capability { setgid setuid sys_resource }; + allow zabbix_agent_t self:capability { chown dac_read_search setgid setuid sys_resource }; allow zabbix_agent_t self:process { setrlimit setsched }; allow zabbix_agent_t self:key write; allow zabbix_agent_t self:passwd { passwd rootok }; + allow zabbix_agent_t sudo_log_t:dir { add_name create setattr write }; + allow zabbix_agent_t sudo_log_t:file { create open read setattr write }; + + allow zabbix_agent_t devlog_t:sock_file write; + allow zabbix_agent_t kernel_t:unix_dgram_socket sendto; + allow zabbix_agent_t self:unix_dgram_socket { connect create }; + + auth_domtrans_chkpwd(zabbix_agent_t) auth_rw_lastlog(zabbix_agent_t) auth_rw_faillog(zabbix_agent_t) - auth_exec_chkpwd(zabbix_agent_t) + + logging_send_audit_msgs(zabbix_agent_t) selinux_compute_access_vector(zabbix_agent_t) + sssd_read_config(zabbix_agent_t) + systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t) systemd_dbus_chat_logind(zabbix_agent_t) xserver_exec_xauth(zabbix_agent_t) + + # Conceivably this could be under a separate boolean, but the reason to allow sudo + # is to allow check like this + lvm_domtrans(zabbix_agent_t) ') optional_policy(` |