Skip to content

Commit 2d4d691

Browse files
zpytelazpytela
committed
Add policy for insights-core
The insights_core_t domain is used by the insights client with explicit transition using setexecfilecon().
1 parent 97be274 commit 2d4d691

File tree

2 files changed

+256
-0
lines changed

2 files changed

+256
-0
lines changed

policy/modules/contrib/insights_client.if

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -320,3 +320,25 @@ interface(`insights_client_write_tmp',`
320320
files_search_tmp($1)
321321
write_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t)
322322
')
323+
324+
########################################
325+
## <summary>
326+
## Allow explicit transition to insights_core_t domain.
327+
## </summary>
328+
## <param name="domain">
329+
## <summary>
330+
## Domain allowed to transition.
331+
## </summary>
332+
## </param>
333+
#
334+
interface(`insights_domtrans_core',`
335+
gen_require(`
336+
type insights_core_t;
337+
')
338+
339+
allow $1 insights_core_t: process transition;
340+
allow insights_core_t $1:fd use;
341+
allow insights_core_t $1:fifo_file rw_file_perms;
342+
allow insights_core_t $1:process sigchld;
343+
allow insights_core_t $1:dir search_dir_perms;
344+
')

policy/modules/contrib/insights_client.te

Lines changed: 234 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,13 @@ files_tmpfs_file(insights_client_tmpfs_t)
4343
type insights_client_unit_file_t;
4444
systemd_unit_file(insights_client_unit_file_t)
4545

46+
type insights_core_t;
47+
role system_r types insights_core_t;
48+
domain_type(insights_core_t)
49+
50+
type insights_core_tmp_t;
51+
files_tmp_file(insights_core_tmp_t)
52+
4653
########################################
4754
#
4855
# insights_client local policy
@@ -417,3 +424,230 @@ optional_policy(`
417424
optional_policy(`
418425
virt_stream_connect(insights_client_t)
419426
')
427+
428+
########################################
429+
#
430+
# insights_core local policy
431+
#
432+
433+
# an explicit transition using setexecfilecon()
434+
insights_domtrans_core(insights_client_t)
435+
allow init_t insights_core_t:fifo_file write;
436+
insights_client_filetrans_named_content(insights_core_t)
437+
438+
allow insights_core_t self:capability { dac_read_search setgid sys_admin };
439+
allow insights_core_t self:capability2 { checkpoint_restore syslog };
440+
allow insights_core_t self:process { getattr setpgid };
441+
442+
#allow insights_core_t self:socket_class_set create_socket_perms;
443+
allow insights_core_t self:appletalk_socket create_socket_perms;
444+
allow insights_core_t self:ax25_socket create_socket_perms;
445+
allow insights_core_t self:ipx_socket create_socket_perms;
446+
allow insights_core_t self:netlink_route_socket r_netlink_socket_perms;
447+
allow insights_core_t self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
448+
allow insights_core_t self:netrom_socket create_socket_perms;
449+
allow insights_core_t self:rose_socket create_socket_perms;
450+
allow insights_core_t self:socket create_socket_perms;
451+
allow insights_core_t self:tcp_socket create_stream_socket_perms;
452+
allow insights_core_t self:udp_socket create_socket_perms;
453+
allow insights_core_t self:unix_dgram_socket create_socket_perms;
454+
allow insights_core_t self:unix_stream_socket connectto;
455+
allow insights_core_t self:x25_socket create_socket_perms;
456+
457+
manage_dirs_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
458+
manage_files_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
459+
files_tmp_filetrans(insights_core_t, insights_core_tmp_t, { dir file })
460+
461+
manage_files_pattern(insights_core_t, insights_client_cache_t, insights_client_cache_t)
462+
463+
read_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
464+
create_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
465+
#allow insights_core_t insights_client_etc_t:file { write };
466+
allow insights_core_t insights_client_etc_rw_t:file { create getattr ioctl open read setattr write };
467+
468+
manage_files_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
469+
manage_dirs_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
470+
471+
append_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
472+
create_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
473+
474+
allow insights_core_t insights_client_var_run_t:file { getattr read };
475+
476+
allow insights_core_t insights_client_tmp_t:file { open };
477+
478+
kernel_dgram_send(insights_core_t)
479+
kernel_read_all_sysctls(insights_core_t)
480+
kernel_list_all_proc(insights_core_t)
481+
kernel_read_proc_files(insights_core_t)
482+
kernel_list_proc(insights_core_t)
483+
kernel_read_fs_sysctls(insights_core_t)
484+
kernel_read_network_state(insights_core_t)
485+
kernel_read_ring_buffer(insights_core_t)
486+
kernel_read_security_state(insights_core_t)
487+
kernel_read_software_raid_state(insights_core_t)
488+
kernel_read_sysctl(insights_core_t)
489+
490+
corecmd_bin_entry_type(insights_core_t)
491+
corecmd_exec_bin(insights_core_t)
492+
493+
corenet_tcp_bind_generic_node(insights_core_t)
494+
corenet_tcp_connect_http_port(insights_core_t)
495+
496+
dev_getattr_all_blk_files(insights_core_t)
497+
dev_getattr_all_chr_files(insights_core_t)
498+
dev_read_kmsg(insights_core_t)
499+
dev_read_netcontrol(insights_core_t)
500+
dev_read_sysfs(insights_core_t)
501+
502+
domain_getattr_all_sockets(insights_core_t)
503+
domain_connect_all_stream_sockets(insights_core_t)
504+
domain_getattr_all_domains(insights_core_t)
505+
domain_getattr_all_pipes(insights_core_t)
506+
domain_read_all_domains_state(insights_core_t)
507+
domain_read_view_all_domains_keyrings(insights_core_t)
508+
509+
files_getattr_all_files(insights_core_t)
510+
files_getattr_all_blk_files(insights_core_t)
511+
files_getattr_all_chr_files(insights_core_t)
512+
files_getattr_all_file_type_fs(insights_core_t)
513+
files_getattr_all_pipes(insights_core_t)
514+
files_getattr_all_sockets(insights_core_t)
515+
files_read_all_symlinks(insights_core_t)
516+
files_read_non_security_files(insights_core_t)
517+
518+
fs_get_all_fs_quotas(insights_core_t)
519+
fs_getattr_all_fs(insights_core_t)
520+
fs_getattr_nsfs_files(insights_core_t)
521+
fs_read_configfs_dirs(insights_core_t)
522+
523+
optional_policy(`
524+
auth_read_passwd_file(insights_core_t)
525+
')
526+
527+
optional_policy(`
528+
bootloader_exec(insights_core_t)
529+
')
530+
531+
optional_policy(`
532+
chronyd_domtrans_chronyc(insights_core_t)
533+
')
534+
535+
optional_policy(`
536+
dbus_system_bus_client(insights_core_t)
537+
')
538+
539+
optional_policy(`
540+
dmesg_exec(insights_core_t)
541+
')
542+
543+
optional_policy(`
544+
dmidecode_exec(insights_core_t)
545+
')
546+
547+
optional_policy(`
548+
fstools_domtrans(insights_core_t)
549+
')
550+
551+
optional_policy(`
552+
gnome_search_gconf(insights_core_t)
553+
')
554+
555+
optional_policy(`
556+
gpg_entry_type(insights_core_t)
557+
gpg_domtrans(insights_core_t)
558+
gpg_domtrans_agent(insights_core_t)
559+
')
560+
561+
optional_policy(`
562+
hostname_exec(insights_core_t)
563+
')
564+
565+
optional_policy(`
566+
init_status(insights_core_t)
567+
init_rw_stream_sockets(insights_core_t)
568+
')
569+
570+
optional_policy(`
571+
iptables_domtrans(insights_core_t)
572+
')
573+
574+
575+
optional_policy(`
576+
journalctl_domtrans(insights_core_t)
577+
')
578+
579+
580+
optional_policy(`
581+
libs_exec_ldconfig(insights_core_t)
582+
')
583+
584+
optional_policy(`
585+
logging_domtrans_auditctl(insights_core_t)
586+
logging_read_audit_config(insights_core_t)
587+
logging_read_audit_log(insights_core_t)
588+
logging_send_syslog_msg(insights_core_t)
589+
logging_mmap_generic_logs(insights_core_t)
590+
')
591+
592+
optional_policy(`
593+
lvm_domtrans(insights_core_t)
594+
')
595+
596+
optional_policy(`
597+
miscfiles_read_generic_certs(insights_core_t)
598+
')
599+
600+
optional_policy(`
601+
modutils_domtrans_kmod(insights_core_t)
602+
modutils_read_module_deps_files(insights_core_t)
603+
')
604+
605+
optional_policy(`
606+
mount_domtrans(insights_core_t)
607+
')
608+
609+
optional_policy(`
610+
networkmanager_dbus_chat(insights_core_t)
611+
')
612+
613+
optional_policy(`
614+
rhsmcertd_domtrans(insights_core_t)
615+
rhsmcertd_read_config_files(insights_core_t)
616+
rhsmcertd_write_config_files(insights_core_t)
617+
#rhsmcertd_create_lib_files(insights_core_t)
618+
#rhsmcertd_write_lib_files(insights_core_t)
619+
rhsmcertd_manage_lib_files(insights_core_t)
620+
rhsmcertd_append_log(insights_core_t)
621+
rhsmcertd_create_log(insights_core_t)
622+
')
623+
624+
optional_policy(`
625+
rpm_domtrans(insights_core_t)
626+
')
627+
628+
optional_policy(`
629+
seutil_domtrans_semanage(insights_core_t)
630+
')
631+
632+
optional_policy(`
633+
ssh_exec(insights_core_t)
634+
ssh_exec_sshd(insights_core_t)
635+
')
636+
637+
optional_policy(`
638+
#?sysnet_read_config(insights_core_t)
639+
sysnet_exec_ifconfig(insights_core_t)
640+
')
641+
642+
optional_policy(`
643+
systemd_dbus_chat_timedated(insights_core_t)
644+
systemd_dbus_chat_localed(insights_core_t)
645+
systemd_exec_notify(insights_core_t)
646+
systemd_status_all_unit_files(insights_core_t)
647+
systemd_userdbd_stream_connect(insights_core_t)
648+
')
649+
650+
optional_policy(`
651+
userdom_search_user_tmp_dirs(insights_core_t)
652+
userdom_view_all_users_keys(insights_core_t)
653+
')

0 commit comments

Comments
 (0)