Add SELinux policy for ldap-agent.

This adds SELinux policy to confine the SNMP subagent (ldap-agent).
There were some changes required around the aubagent to make it
work in a more standard fashion.

I moved the ldap-agent binary and wrapper to sbindir.  It was
previously in bindir, yet it is not a user command.  The location
really should be sbindir per FHS.

I added init scripts for the subagent, so it can now be managed
using "service dirsrv-snmp [start|stop|restart|condrestart|status]".
While doing this, I found that the parent process was exiting with
1 on success instead of 0, so I fixed that.

I added a default config file for the subagent as well.  When using
the init script, the config file is hardcoded into this standard
location.  Having this config template should also hopefully cut
down on configuration errors since it's self documenting.

The pid file location was also changed to go into /var/run per FHS.
Previously, it was written to the same directory as the log file.

There are a few notes in the policy .te file about some bugs that
we are working around for now.  These bugs are mainly minor issues
in the snmp policy that is a part of the selinux-policy pacakge.
Once those bugs are fixed, we can clean our policy .te file up.

3 files changed, 49 insertions, 20 deletions

diff --git a/ldap/servers/snmp/ldap-agent.conf.in b/ldap/servers/snmp/ldap-agent.conf.in
new file mode 100644
index 00000000..6593685b
--- /dev/null
+++ b/ldap/servers/snmp/ldap-agent.conf.in
@@ -0,0 +1,30 @@
+# The agentx-master setting defines how to communicate
+# with the SNMP master agent using the AgentX protocol.
+# The default is to use a UNIX domain socket.  If your
+# master agent is listening on a tcp port for AgentX
+# subagents, use a line like the following:
+#
+# agentx-master localhost:705
+agentx-master /var/agentx/master
+
+# The agent-logdir settings defines where the subagent
+# will write it's logfile.
+agent-logdir @localstatedir@/log/@package_name@
+
+# The server setting specifies a Directory Server
+# instance that you want to monitor. You must use one
+# server setting for each Directory Server instance. The
+# subagent requires at least one server setting to be
+# specified. The server setting
+# should be set to the name of the Directory Server
+# instance you would like to monitor. For example:
+# 
+# server slapd-phonebook
+# 
+# To monitor multiple Directory Server instances,  add
+# an additional server parameter for each instance:
+# 
+# server slapd-phonebook
+# server slapd-example
+# server slapd-directory
+
diff --git a/ldap/servers/snmp/ldap-agent.h b/ldap/servers/snmp/ldap-agent.h
index 30253d1c..664d7e22 100644
--- a/ldap/servers/snmp/ldap-agent.h
+++ b/ldap/servers/snmp/ldap-agent.h
@@ -90,7 +90,7 @@ extern          "C" {
 #define CACHE_REFRESH_INTERVAL 15
 #define UPDATE_THRESHOLD 20
 #define SNMP_NUM_SEM_WAITS 10
-#define LDAP_AGENT_PIDFILE ".ldap-agent.pid"
+#define LDAP_AGENT_PIDFILE "ldap-agent.pid"
 #define LDAP_AGENT_LOGFILE "ldap-agent.log"
 
 /*************************************************************
diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c
index 5b2ad68a..04c4ee3f 100644
--- a/ldap/servers/snmp/main.c
+++ b/ldap/servers/snmp/main.c
@@ -191,7 +191,7 @@ main (int argc, char *argv[]) {
         fscanf(pid_fp, "%d", &child_pid);
         fclose(pid_fp);
         printf("ldap-agent: Started as pid %d\n", child_pid);
-        exit(1);
+        exit(0);
     }
 
     /* initialize the agent */
@@ -205,7 +205,7 @@ main (int argc, char *argv[]) {
     signal(SIGTERM, stop_server);
     signal(SIGINT, stop_server);
 
-    /* create pidfile in config file dir */
+    /* create pidfile */
     child_pid = getpid();
     if ((pid_fp = fopen(pidfile, "w")) == NULL) {
         snmp_log(LOG_ERR, "Error creating pid file: %s\n", pidfile);
@@ -272,25 +272,24 @@ load_config(char *conf_path)
     } 
 
     /* set pidfile path */
+    if ((pidfile = malloc(strlen(LOCALSTATEDIR) + strlen("/run/") +
+        strlen(LDAP_AGENT_PIDFILE) + 1)) != NULL) {
+        strncpy(pidfile, LOCALSTATEDIR, strlen(LOCALSTATEDIR));
+        /* The above will likely not be NULL terminated, but we need to
+         * be sure that we're properly NULL terminated for the below
+         * strcat() to work properly. */
+        pidfile[strlen(LOCALSTATEDIR)] = (char)0;
+        strcat(pidfile, "/run/");
+        strcat(pidfile, LDAP_AGENT_PIDFILE);
+    } else {
+        printf("ldap-agent: malloc error processing config file\n");
+        error = 1;
+        goto close_and_exit;
+    }
+
+    /* set default logdir to location of config file */
     for (p = (conf_path + strlen(conf_path) - 1); p >= conf_path; p--) {
         if (*p == '/') {
-            /* set pidfile path */
-            if ((pidfile = malloc((p - conf_path) +
-                                   strlen(LDAP_AGENT_PIDFILE) + 2)) != NULL) {
-                strncpy(pidfile, conf_path, (p - conf_path + 1));
-                /* The above will likely not be NULL terminated, but we need to
-                 * be sure that we're properly NULL terminated for the below
-                 * strcat() to work properly. */
-                pidfile[(p - conf_path + 2)] = (char)0;
-                strcat(pidfile, LDAP_AGENT_PIDFILE);
-                pidfile[((p - conf_path) + strlen(LDAP_AGENT_PIDFILE) + 1)] = (char)0;
-            } else {
-                printf("ldap-agent: malloc error processing config file\n");
-                error = 1;
-                goto close_and_exit;
-            }
-
-            /* set default logdir to location of config file */
             if ((agent_logdir = malloc((p - conf_path) + 1)) != NULL) {
                 strncpy(agent_logdir, conf_path, (p - conf_path));
                 agent_logdir[(p - conf_path)] = (char)0;