Add a SELinux policy module

tags/0.2.17_0_el6 0.2.17_0_el6
Daniel Berteaud 7 years ago
parent 282a4abffb
commit 62cdaa98bc
  1. 27
      selinux/zabbix-agent-addons.te
  2. 26
      zabbix-agent-addons.spec

@ -0,0 +1,27 @@
module zabbix-agent-addons 1.0;
require {
type kernel_t;
type devlog_t;
type zabbix_var_lib_t;
type sudo_exec_t;
type proc_mdstat_t;
type zabbix_agent_t;
class process setrlimit;
class capability { audit_write dac_override sys_resource };
class file { execute execute_no_trans getattr ioctl open read };
class netlink_audit_socket { create nlmsg_relay };
class sock_file write;
class unix_dgram_socket { connect create sendto };
}
#============= zabbix_agent_t ==============
allow zabbix_agent_t devlog_t:sock_file write;
allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
allow zabbix_agent_t proc_mdstat_t:file { getattr ioctl open read };
allow zabbix_agent_t self:capability { audit_write dac_override sys_resource };
allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay };
allow zabbix_agent_t self:process setrlimit;
allow zabbix_agent_t self:unix_dgram_socket { connect create };
allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
allow zabbix_agent_t zabbix_var_lib_t:file { execute execute_no_trans ioctl open read };

@ -1,7 +1,11 @@
%if 0%{?rhel} && 0%{?rhel} < 5
%global _without_selinux 1
%endif
Summary: Scripts for Zabbix monitoring Summary: Scripts for Zabbix monitoring
Name: zabbix-agent-addons Name: zabbix-agent-addons
Version: 0.2.16 Version: 0.2.17
Release: 1 Release: 0.beta1
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
BuildArch: noarch BuildArch: noarch
@ -18,6 +22,11 @@ Requires: perl(POSIX)
Requires: perl(MIME::Base64) Requires: perl(MIME::Base64)
Requires: perl(File::Which) Requires: perl(File::Which)
Requires: perl(Config::Simple) Requires: perl(Config::Simple)
%if ! 0%{?_without_selinux}
Requires: policycoreutils
BuildRequires: selinux-policy-devel
BuildRequires: checkpolicy
%endif
AutoReqProv: no AutoReqProv: no
@ -31,6 +40,11 @@ LVM, RAID status, S.M.A.R.T. drives, BackupPC etc...
%setup -q %setup -q
%build %build
%if ! 0%{?_without_selinux}
pushd selinux
make -f %{_datadir}/selinux/devel/Makefile
popd
%endif
%install %install
@ -50,6 +64,11 @@ cp -r lib/* $RPM_BUILD_ROOT%{perl_vendorlib}/
# Install sudo conf # Install sudo conf
%{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d %{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d
%{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent %{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent
# Install SELinux policy
%if ! 0%{?_without_selinux}
%{__install} -d 750 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{realname}
%{__install} -m644 selinux/%{realname}.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{realname}/%{realname}.pp
%endif
%clean %clean
%{__rm} -rf $RPM_BUILD_ROOT %{__rm} -rf $RPM_BUILD_ROOT
@ -77,6 +96,9 @@ fi
%attr(0440,root,root) %{_sysconfdir}/sudoers.d/* %attr(0440,root,root) %{_sysconfdir}/sudoers.d/*
%changelog %changelog
* Wed Aug 23 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.17-1
- Add a SELinux policy module
* Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1 * Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1
- Add kernel.openedfile UserParameter - Add kernel.openedfile UserParameter

Loading…
Cancel
Save