diff --git a/selinux/zabbix-agent-addons.te b/selinux/zabbix-agent-addons.te new file mode 100644 index 0000000..be43a59 --- /dev/null +++ b/selinux/zabbix-agent-addons.te @@ -0,0 +1,27 @@ +module zabbix-agent-addons 1.0; + +require { + type kernel_t; + type devlog_t; + type zabbix_var_lib_t; + type sudo_exec_t; + type proc_mdstat_t; + type zabbix_agent_t; + class process setrlimit; + class capability { audit_write dac_override sys_resource }; + class file { execute execute_no_trans getattr ioctl open read }; + class netlink_audit_socket { create nlmsg_relay }; + class sock_file write; + class unix_dgram_socket { connect create sendto }; +} + +#============= zabbix_agent_t ============== +allow zabbix_agent_t devlog_t:sock_file write; +allow zabbix_agent_t kernel_t:unix_dgram_socket sendto; +allow zabbix_agent_t proc_mdstat_t:file { getattr ioctl open read }; +allow zabbix_agent_t self:capability { audit_write dac_override sys_resource }; +allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay }; +allow zabbix_agent_t self:process setrlimit; +allow zabbix_agent_t self:unix_dgram_socket { connect create }; +allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans }; +allow zabbix_agent_t zabbix_var_lib_t:file { execute execute_no_trans ioctl open read }; diff --git a/zabbix-agent-addons.spec b/zabbix-agent-addons.spec index 0decd61..bd33658 100644 --- a/zabbix-agent-addons.spec +++ b/zabbix-agent-addons.spec @@ -1,7 +1,11 @@ +%if 0%{?rhel} && 0%{?rhel} < 5 +%global _without_selinux 1 +%endif + Summary: Scripts for Zabbix monitoring Name: zabbix-agent-addons -Version: 0.2.16 -Release: 1 +Version: 0.2.17 +Release: 0.beta1 Source0: %{name}-%{version}.tar.gz BuildArch: noarch @@ -18,6 +22,11 @@ Requires: perl(POSIX) Requires: perl(MIME::Base64) Requires: perl(File::Which) Requires: perl(Config::Simple) +%if ! 0%{?_without_selinux} +Requires: policycoreutils +BuildRequires: selinux-policy-devel +BuildRequires: checkpolicy +%endif AutoReqProv: no @@ -31,6 +40,11 @@ LVM, RAID status, S.M.A.R.T. drives, BackupPC etc... %setup -q %build +%if ! 0%{?_without_selinux} +pushd selinux +make -f %{_datadir}/selinux/devel/Makefile +popd +%endif %install @@ -50,6 +64,11 @@ cp -r lib/* $RPM_BUILD_ROOT%{perl_vendorlib}/ # Install sudo conf %{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d %{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent +# Install SELinux policy +%if ! 0%{?_without_selinux} + %{__install} -d 750 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{realname} + %{__install} -m644 selinux/%{realname}.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{realname}/%{realname}.pp +%endif %clean %{__rm} -rf $RPM_BUILD_ROOT @@ -77,6 +96,9 @@ fi %attr(0440,root,root) %{_sysconfdir}/sudoers.d/* %changelog +* Wed Aug 23 2017 Daniel Berteaud - 0.2.17-1 +- Add a SELinux policy module + * Wed Jun 14 2017 Daniel Berteaud - 0.2.16-1 - Add kernel.openedfile UserParameter