[zabbix] Complete what the previous commit promised
Volker Fröhlich
volter at fedoraproject.org
Thu Oct 3 18:51:03 UTC 2013
commit cacc717d0a6f12f657af47169aa048bba841d596
Author: Volker Fröhlich <volker27 at gmx.at>
Date: Thu Oct 3 20:48:07 2013 +0200
Complete what the previous commit promised
sources | 2 +-
zabbix-2.0.6-ZBX-5924.patch | 13 -------------
zabbix-2.0.6-ZBX-6526.patch | 41 -----------------------------------------
zabbix-agent.service | 1 -
zabbix-fedora.README | 29 ++++++++++++++++++++++++++++-
zabbix-proxy-mysql.service | 1 -
zabbix-proxy-pgsql.service | 1 -
zabbix-proxy-sqlite3.service | 1 -
zabbix-server-mysql.service | 1 -
zabbix-server-pgsql.service | 1 -
zabbix.spec | 4 ++++
11 files changed, 33 insertions(+), 62 deletions(-)
---
diff --git a/sources b/sources
index bf98dab..ab672de 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d480122e6cfb0983d9946148d82a0b8b zabbix-2.0.6-free.tar.gz
+213cfb023a9c3afb807746003027a9c2 zabbix-2.0.8-free.tar.gz
diff --git a/zabbix-agent.service b/zabbix-agent.service
index cca7cc9..27bfad7 100644
--- a/zabbix-agent.service
+++ b/zabbix-agent.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_agentd
RemainAfterExit=yes
User=zabbix
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix-fedora.README b/zabbix-fedora.README
index 3f9e0d5..4bbf487 100644
--- a/zabbix-fedora.README
+++ b/zabbix-fedora.README
@@ -21,6 +21,7 @@ Log files are located in /var/log/zabbix.
==Where's my Flash watch?==
It's not included in Fedora! Fedora's policy does not allow to include blobs.
+https://support.zabbix.com/browse/ZBX-4794
==No htaccess files==
@@ -101,6 +102,32 @@ to vote on it.
Sadly it doesn't work with how Fedora's/EPEL's PHP is compiled.
+--------------------------------------------------------------------------------
+
+=SELinux=
+
+The settings necessary for you vary, depending on how you set up your system/s.
+Most of the time, the only adjustments necessary should be on the machine that
+holds the frontend:
+
+#Allow to connect the frontend to a database by other means than sockets
+setsebool -P httpd_can_network_connect_db 1
+
+#Allow the frontend to create a connection to the server listening port
+#That's the check the frontend uses to see whether the server is running.
+#This option effectively supersedes the previous
+setsebool -P httpd_can_network_connect 1
+
+Using sebools is a somewhat coarse method of allowing things.
+A more fine-grained approach for the latter would be to grab an actual
+avc denial from the audit log, pipe it through audit2allow, put it in a
+module package and load that:
+
+echo "avc: denied { name_connect } for pid=20619 comm="httpd" dest=10051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zabbix_port_t:s0 tclass=tcp_socket" | audit2allow -M zabbix_conn_httpd; sudo semodule -i zabbix_conn_httpd.pp
+
+If you're using ping from the frontend:
+
+echo "avc: denied { setpgid } for pid=31880 comm="zabbix_server_p" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=process" | audit2allow -M zabbix_ping_frontend; sudo semodule -i zabbix_ping_frontend.pp
--------------------------------------------------------------------------------
@@ -122,4 +149,4 @@ http://www.zabbix.com/documentation/2.0/manual/installation/upgrade
- Review all rpmnew and rpmsave files; merge where necessary
- Review permissions, ownerships and group memberships for zabbixsrv
-Volker Fröhlich volker27 at gmx.at Nov 8 2012
+Volker Fröhlich volker27 at gmx.at Aug 14 2013
diff --git a/zabbix-proxy-mysql.service b/zabbix-proxy-mysql.service
index 515bb8e..6464a5a 100644
--- a/zabbix-proxy-mysql.service
+++ b/zabbix-proxy-mysql.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_proxy
RemainAfterExit=yes
User=zabbixsrv
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix-proxy-pgsql.service b/zabbix-proxy-pgsql.service
index d1fc5fc..5d52fd9 100644
--- a/zabbix-proxy-pgsql.service
+++ b/zabbix-proxy-pgsql.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_proxy
RemainAfterExit=yes
User=zabbixsrv
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix-proxy-sqlite3.service b/zabbix-proxy-sqlite3.service
index 2058613..a102fc0 100644
--- a/zabbix-proxy-sqlite3.service
+++ b/zabbix-proxy-sqlite3.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_proxy
RemainAfterExit=yes
User=zabbixsrv
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix-server-mysql.service b/zabbix-server-mysql.service
index 7c1962c..9c0217b 100644
--- a/zabbix-server-mysql.service
+++ b/zabbix-server-mysql.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_server
RemainAfterExit=yes
User=zabbixsrv
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix-server-pgsql.service b/zabbix-server-pgsql.service
index 8d6a83f..a196b4c 100644
--- a/zabbix-server-pgsql.service
+++ b/zabbix-server-pgsql.service
@@ -7,7 +7,6 @@ Type=oneshot
ExecStart=/usr/sbin/zabbix_server
RemainAfterExit=yes
User=zabbixsrv
-PrivateTmp=yes
[Install]
WantedBy=multi-user.target
diff --git a/zabbix.spec b/zabbix.spec
index 6e12bf6..1e9e3bb 100644
--- a/zabbix.spec
+++ b/zabbix.spec
@@ -361,6 +361,7 @@ sed -i \
-e 's|/usr/local||g' \
conf/zabbix_server.conf
+#TODO: It'd be better to leave the defaults in a commment and just override them, as they are still hard-coded!
sed -i \
-e 's|# PidFile=.*|PidFile=%{_localstatedir}/run/%{srcname}/zabbix_proxy.pid|g' \
-e 's|^LogFile=.*|LogFile=%{_localstatedir}/log/%{srcname}/zabbix_proxy.log|g' \
@@ -498,6 +499,9 @@ ln -sf %{_sharedstatedir}/zabbixsrv/alertscripts $RPM_BUILD_ROOT%{_sysconfdir}/%
# Directory for fping spooling files
mkdir $RPM_BUILD_ROOT%{_sharedstatedir}/zabbixsrv/tmp
+# Directory for fping spooling files
+mkdir $RPM_BUILD_ROOT%{_sharedstatedir}/zabbixsrv/tmp
+
# Install sql files
for db in postgresql mysql; do
datadir=$RPM_BUILD_ROOT%{_datadir}/%{srcname}-$db
More information about the scm-commits
mailing list