Add a SELinux policy module
This commit is contained in:
parent
282a4abffb
commit
a3ecef0f9e
|
@ -0,0 +1,27 @@
|
||||||
|
module zabbix-agent-addons 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type kernel_t;
|
||||||
|
type devlog_t;
|
||||||
|
type zabbix_var_lib_t;
|
||||||
|
type sudo_exec_t;
|
||||||
|
type proc_mdstat_t;
|
||||||
|
type zabbix_agent_t;
|
||||||
|
class process setrlimit;
|
||||||
|
class capability { audit_write dac_override sys_resource };
|
||||||
|
class file { execute execute_no_trans getattr ioctl open read };
|
||||||
|
class netlink_audit_socket { create nlmsg_relay };
|
||||||
|
class sock_file write;
|
||||||
|
class unix_dgram_socket { connect create sendto };
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= zabbix_agent_t ==============
|
||||||
|
allow zabbix_agent_t devlog_t:sock_file write;
|
||||||
|
allow zabbix_agent_t kernel_t:unix_dgram_socket sendto;
|
||||||
|
allow zabbix_agent_t proc_mdstat_t:file { getattr ioctl open read };
|
||||||
|
allow zabbix_agent_t self:capability { audit_write dac_override sys_resource };
|
||||||
|
allow zabbix_agent_t self:netlink_audit_socket { create nlmsg_relay };
|
||||||
|
allow zabbix_agent_t self:process setrlimit;
|
||||||
|
allow zabbix_agent_t self:unix_dgram_socket { connect create };
|
||||||
|
allow zabbix_agent_t sudo_exec_t:file { execute execute_no_trans };
|
||||||
|
allow zabbix_agent_t zabbix_var_lib_t:file { execute execute_no_trans ioctl open read };
|
|
@ -1,7 +1,11 @@
|
||||||
|
%if 0%{?rhel} && 0%{?rhel} < 5
|
||||||
|
%global _without_selinux 1
|
||||||
|
%endif
|
||||||
|
|
||||||
Summary: Scripts for Zabbix monitoring
|
Summary: Scripts for Zabbix monitoring
|
||||||
Name: zabbix-agent-addons
|
Name: zabbix-agent-addons
|
||||||
Version: 0.2.16
|
Version: 0.2.17
|
||||||
Release: 1
|
Release: 0.beta1
|
||||||
Source0: %{name}-%{version}.tar.gz
|
Source0: %{name}-%{version}.tar.gz
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
|
@ -18,6 +22,11 @@ Requires: perl(POSIX)
|
||||||
Requires: perl(MIME::Base64)
|
Requires: perl(MIME::Base64)
|
||||||
Requires: perl(File::Which)
|
Requires: perl(File::Which)
|
||||||
Requires: perl(Config::Simple)
|
Requires: perl(Config::Simple)
|
||||||
|
%if ! 0%{?_without_selinux}
|
||||||
|
Requires: policycoreutils
|
||||||
|
BuildRequires: selinux-policy-devel
|
||||||
|
BuildRequires: checkpolicy
|
||||||
|
%endif
|
||||||
|
|
||||||
AutoReqProv: no
|
AutoReqProv: no
|
||||||
|
|
||||||
|
@ -31,6 +40,11 @@ LVM, RAID status, S.M.A.R.T. drives, BackupPC etc...
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
%if ! 0%{?_without_selinux}
|
||||||
|
pushd selinux
|
||||||
|
make -f %{_datadir}/selinux/devel/Makefile
|
||||||
|
popd
|
||||||
|
%endif
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
|
||||||
|
@ -50,6 +64,11 @@ cp -r lib/* $RPM_BUILD_ROOT%{perl_vendorlib}/
|
||||||
# Install sudo conf
|
# Install sudo conf
|
||||||
%{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d
|
%{__install} -d 750 $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d
|
||||||
%{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent
|
%{__install} -m 600 conf/sudo.conf $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.d/zabbix_agent
|
||||||
|
# Install SELinux policy
|
||||||
|
%if ! 0%{?_without_selinux}
|
||||||
|
%{__install} -d 750 $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}
|
||||||
|
%{__install} -m644 selinux/%{name}.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/%{name}.pp
|
||||||
|
%endif
|
||||||
|
|
||||||
%clean
|
%clean
|
||||||
%{__rm} -rf $RPM_BUILD_ROOT
|
%{__rm} -rf $RPM_BUILD_ROOT
|
||||||
|
@ -75,8 +94,12 @@ fi
|
||||||
%config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/sensors.ini
|
%config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/sensors.ini
|
||||||
%config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/zabbix_agentd.conf.d/*
|
%config(noreplace) %attr(0640,root,zabbix) %{_sysconfdir}/zabbix/zabbix_agentd.conf.d/*
|
||||||
%attr(0440,root,root) %{_sysconfdir}/sudoers.d/*
|
%attr(0440,root,root) %{_sysconfdir}/sudoers.d/*
|
||||||
|
%{_datadir}/selinux/packages/%{name}/%{name}.pp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 23 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.17-1
|
||||||
|
- Add a SELinux policy module
|
||||||
|
|
||||||
* Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1
|
* Wed Jun 14 2017 Daniel Berteaud <daniel@firewall-services.com> - 0.2.16-1
|
||||||
- Add kernel.openedfile UserParameter
|
- Add kernel.openedfile UserParameter
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue