Add a SELinux policy module

7 years ago · a3ecef0f9e
parent 282a4abffb
commit a3ecef0f9e
2 changed files with 52 additions and 2 deletions
--- a/selinux/zabbix-agent-addons.te
+++ b/selinux/zabbix-agent-addons.te
@ -0,0 +1,27 @@
 module zabbix-agent-addons 1.0;
 require {
        type kernel_t;
        type devlog_t;
        type zabbix_var_lib_t;
        type sudo_exec_t;
        type proc_mdstat_t;
        type zabbix_agent_t;
        class process setrlimit;
        class capability { audit_write dac_override sys_resource };
        class file { execute execute_no_trans getattr ioctl open read };
        class netlink_audit_socket { create nlmsg_relay };
        class sock_file write;
        class unix_dgram_socket { connect create sendto };
 }
 #============= zabbix_agent_t ==============
 allow zabbix_agent_t devlog_t:sock_file write;
 allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
 allow zabbix_agent_t proc_mdstat_t:file { getattr ioctl open read };
 allow zabbix_agent_t self:capability { audit_write dac_override sys_resource };
 allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay };
 allow zabbix_agent_t self:process setrlimit;
 allow zabbix_agent_t self:unix_dgram_socket { connect create };
 allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
 allow zabbix_agent_t zabbix_var_lib_t:file { execute execute_no_trans ioctl open read };
--- a/zabbix-agent-addons.spec
+++ b/zabbix-agent-addons.spec
@ -1,7 +1,11 @@
 %if 0%{?rhel} && 0%{?rhel} < 5
 %global _without_selinux 1
 %endif
 Summary: Scripts for Zabbix monitoring
 Name: zabbix-agent-addons
-Version: 0.2.16
+Version: 0.2.17
-Release: 1
+Release: 0.beta1
 Source0: %{name}-%{version}.tar.gz
 BuildArch: noarch
@ -18,6 +22,11 @@ Requires: perl(POSIX)
 Requires: perl(MIME::Base64)
 Requires: perl(File::Which)
 Requires: perl(Config::Simple)
 %if ! 0%{?_without_selinux}
 Requires: policycoreutils
 BuildRequires: selinux-policy-devel
 BuildRequires: checkpolicy
 %endif
 AutoReqProv: no
@ -31,6 +40,11 @@ LVM, RAID status, S.M.A.R.T. drives, BackupPC etc...
 %setup -q
 %build
 %if ! 0%{?_without_selinux}
 pushd selinux
 make -f %{_datadir}/selinux/devel/Makefile
 popd
 %endif
 %install
@ -50,6 +64,11 @@ cp -r lib/* $RPM_BUILD_ROOT%{perl_vendorlib}/
 # Install sudo conf
 %{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d
 %{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent
 # Install SELinux policy
 %if ! 0%{?_without_selinux}
  %{__install} -d 750 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}
  %{__install} -m644 selinux/%{name}.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/%{name}.pp
 %endif
 %clean
 %{__rm} -rf $RPM_BUILD_ROOT
@ -75,8 +94,12 @@ fi
 %config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/sensors.ini
 %config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/zabbix_agentd.conf.d/*
 %attr(0440,root,root) %{_sysconfdir}/sudoers.d/*
 %{_datadir}/selinux/packages/%{name}/%{name}.pp
 %changelog
 * Wed Aug 23 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.17-1
 - Add a SELinux policy module
 * Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1
 - Add kernel.openedfile UserParameter