Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
30 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
module zabbix-docker 1.1; | ||
|
||
require { | ||
type docker_var_run_t; | ||
type unreserved_port_t; | ||
type zabbix_agent_t; | ||
type docker_t; | ||
type cgroup_t; | ||
type modules_object_t; | ||
class sock_file write; | ||
class unix_stream_socket connectto; | ||
class capability dac_override; | ||
class tcp_socket name_connect; | ||
class file { ioctl read getattr lock open execute }; | ||
class dir { ioctl read getattr lock add_name reparent search open }; | ||
} | ||
|
||
#============= zabbix_agent_t ============== | ||
|
||
allow zabbix_agent_t docker_t:unix_stream_socket connectto; | ||
allow zabbix_agent_t docker_var_run_t:sock_file write; | ||
allow zabbix_agent_t self:capability dac_override; | ||
allow zabbix_agent_t unreserved_port_t:tcp_socket name_connect; | ||
allow zabbix_agent_t cgroup_t:file { ioctl read getattr lock open }; | ||
allow zabbix_agent_t cgroup_t:dir { ioctl read getattr lock search open }; | ||
allow zabbix_agent_t modules_object_t:file { read open execute }; |