Add a SELinux policy module

7 years ago · a3ecef0f9e
parent 282a4abffb
commit a3ecef0f9e
2 changed files with 52 additions and 2 deletions
--- a/selinux/zabbix-agent-addons.te
+++ b/selinux/zabbix-agent-addons.te
@ -0,0 +1,27 @@
+module zabbix-agent-addons 1.0;
+
+require {
+        type kernel_t;
+        type devlog_t;
+        type zabbix_var_lib_t;
+        type sudo_exec_t;
+        type proc_mdstat_t;
+        type zabbix_agent_t;
+        class process setrlimit;
+        class capability { audit_write dac_override sys_resource };
+        class file { execute execute_no_trans getattr ioctl open read };
+        class netlink_audit_socket { create nlmsg_relay };
+        class sock_file write;
+        class unix_dgram_socket { connect create sendto };
+}
+
+#============= zabbix_agent_t ==============
+allow zabbix_agent_t devlog_t:sock_file write;
+allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
+allow zabbix_agent_t proc_mdstat_t:file { getattr ioctl open read };
+allow zabbix_agent_t self:capability { audit_write dac_override sys_resource };
+allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay };
+allow zabbix_agent_t self:process setrlimit;
+allow zabbix_agent_t self:unix_dgram_socket { connect create };
+allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
+allow zabbix_agent_t zabbix_var_lib_t:file { execute execute_no_trans ioctl open read };
--- a/zabbix-agent-addons.spec
+++ b/zabbix-agent-addons.spec
@ -1,7 +1,11 @@
+%if 0%{?rhel} && 0%{?rhel} < 5
+%global _without_selinux 1
+%endif
+
 Summary: Scripts for Zabbix monitoring
 Name: zabbix-agent-addons
-Version: 0.2.16
-Release: 1
+Version: 0.2.17
+Release: 0.beta1
 Source0: %{name}-%{version}.tar.gz
 BuildArch: noarch

@ -18,6 +22,11 @@ Requires: perl(POSIX)
 Requires: perl(MIME::Base64)
 Requires: perl(File::Which)
 Requires: perl(Config::Simple)
+%if ! 0%{?_without_selinux}
+Requires: policycoreutils
+BuildRequires: selinux-policy-devel
+BuildRequires: checkpolicy
+%endif

 AutoReqProv: no

@ -31,6 +40,11 @@ LVM, RAID status, S.M.A.R.T. drives, BackupPC etc...
 %setup -q

 %build
+%if ! 0%{?_without_selinux}
+pushd selinux
+make -f %{_datadir}/selinux/devel/Makefile
+popd
+%endif

 %install

@ -50,6 +64,11 @@ cp -r lib/* $RPM_BUILD_ROOT%{perl_vendorlib}/
 # Install sudo conf
 %{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d
 %{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent
+# Install SELinux policy
+%if ! 0%{?_without_selinux}
+  %{__install} -d 750 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}
+  %{__install} -m644 selinux/%{name}.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/%{name}.pp
+%endif

 %clean
 %{__rm} -rf $RPM_BUILD_ROOT
@ -75,8 +94,12 @@ fi
 %config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/sensors.ini
 %config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/zabbix_agentd.conf.d/*
 %attr(0440,root,root) %{_sysconfdir}/sudoers.d/*
+%{_datadir}/selinux/packages/%{name}/%{name}.pp

 %changelog
+* Wed Aug 23 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.17-1
+- Add a SELinux policy module
+
 * Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1
 - Add kernel.openedfile UserParameter