diff options
Diffstat (limited to 'zabbix.te')
| -rw-r--r-- | zabbix.te | 32 |
1 files changed, 3 insertions, 29 deletions
@@ -1,4 +1,4 @@ -policy_module(zabbix, 1.7.0) +policy_module(zabbix, 1.6.0) ######################################## # @@ -284,48 +284,22 @@ zabbix_tcp_connect(zabbix_agent_t) zabbix_script_domtrans(zabbix_agent_t) -# These are triggered by vfs.dev.discovery enumerating everyting in /dev -gen_require(` - type devlog_t; -') -dontaudit zabbix_agent_t devlog_t:sock_file getattr; -init_dontaudit_getattr_initctl(zabbix_agent_t) -kernel_dontaudit_getattr_core_if(zabbix_agent_t) - -gen_require(` - type kernel_t, sudo_log_t; -') tunable_policy(`zabbix_run_sudo',` - allow zabbix_agent_t self:capability { chown dac_read_search setgid setuid sys_resource }; + allow zabbix_agent_t self:capability { setgid setuid sys_resource }; allow zabbix_agent_t self:process { setrlimit setsched }; allow zabbix_agent_t self:key write; allow zabbix_agent_t self:passwd { passwd rootok }; - allow zabbix_agent_t sudo_log_t:dir { add_name create setattr write }; - allow zabbix_agent_t sudo_log_t:file { create open read setattr write }; - - allow zabbix_agent_t devlog_t:sock_file write; - allow zabbix_agent_t kernel_t:unix_dgram_socket sendto; - allow zabbix_agent_t self:unix_dgram_socket { connect create }; - - auth_domtrans_chkpwd(zabbix_agent_t) auth_rw_lastlog(zabbix_agent_t) auth_rw_faillog(zabbix_agent_t) - - logging_send_audit_msgs(zabbix_agent_t) + auth_exec_chkpwd(zabbix_agent_t) selinux_compute_access_vector(zabbix_agent_t) - sssd_read_config(zabbix_agent_t) - systemd_write_inherited_logind_sessions_pipes(zabbix_agent_t) systemd_dbus_chat_logind(zabbix_agent_t) xserver_exec_xauth(zabbix_agent_t) - - # Conceivably this could be under a separate boolean, but the reason to allow sudo - # is to allow check like this - lvm_domtrans(zabbix_agent_t) ') optional_policy(` |