Add policy for insights-core

zpytela · zpytela · commit 77f4ae99d0f3 · 2025-01-17T11:21:27.000+01:00
The insights_core_t domain is used by the insights client with
explicit transition using setexeccon().
diff --git a/policy/modules/contrib/insights_client.if b/policy/modules/contrib/insights_client.if
@@ -320,3 +320,25 @@ interface(`insights_client_write_tmp',`
 	files_search_tmp($1)
 	write_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Allow explicit transition to insights_core_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`insights_domtrans_core',`
+	gen_require(`
+		type insights_core_t;
+	')
+
+	allow $1 insights_core_t: process transition;
+	allow insights_core_t $1:fd use;
+	allow insights_core_t $1:fifo_file rw_file_perms;
+	allow insights_core_t $1:process sigchld;
+	allow insights_core_t $1:dir search_dir_perms;
+')
diff --git a/policy/modules/contrib/insights_client.te b/policy/modules/contrib/insights_client.te
@@ -43,6 +43,13 @@ files_tmpfs_file(insights_client_tmpfs_t)
 type insights_client_unit_file_t;
 systemd_unit_file(insights_client_unit_file_t)
 
+type insights_core_t;
+role system_r types insights_core_t;
+domain_type(insights_core_t)
+
+type insights_core_tmp_t;
+files_tmp_file(insights_core_tmp_t)
+
 ########################################
 #
 # insights_client local policy
@@ -417,3 +424,266 @@ optional_policy(`
 optional_policy(`
 	virt_stream_connect(insights_client_t)
 ')
+
+########################################
+#
+# insights_core local policy
+#
+
+# an explicit transition using setexecfilecon()
+insights_domtrans_core(insights_client_t)
+allow init_t insights_core_t:fifo_file write;
+insights_client_filetrans_named_content(insights_core_t)
+
+allow insights_core_t self:capability { dac_read_search setgid sys_admin };
+allow insights_core_t self:capability2 { checkpoint_restore syslog };
+allow insights_core_t self:cap_userns sys_ptrace;
+allow insights_core_t self:process { getattr setpgid };
+
+#allow insights_core_t self:socket_class_set create_socket_perms;
+allow insights_core_t self:appletalk_socket create_socket_perms;
+allow insights_core_t self:ax25_socket create_socket_perms;
+allow insights_core_t self:ipx_socket create_socket_perms;
+allow insights_core_t self:netlink_route_socket r_netlink_socket_perms;
+allow insights_core_t self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read };
+allow insights_core_t self:netrom_socket create_socket_perms;
+allow insights_core_t self:rose_socket create_socket_perms;
+allow insights_core_t self:socket create_socket_perms;
+allow insights_core_t self:tcp_socket create_stream_socket_perms;
+allow insights_core_t self:udp_socket create_socket_perms;
+allow insights_core_t self:unix_dgram_socket create_socket_perms;
+allow insights_core_t self:unix_stream_socket connectto;
+allow insights_core_t self:x25_socket create_socket_perms;
+
+manage_dirs_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
+manage_files_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
+files_tmp_filetrans(insights_core_t, insights_core_tmp_t, { dir file })
+
+manage_files_pattern(insights_core_t, insights_client_cache_t, insights_client_cache_t)
+
+read_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
+create_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
+#allow insights_core_t insights_client_etc_t:file { write };
+allow insights_core_t insights_client_etc_rw_t:file { create getattr ioctl open read setattr write };
+
+manage_files_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
+manage_dirs_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
+
+append_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
+create_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
+
+allow insights_core_t insights_client_var_run_t:file { getattr read };
+
+allow insights_core_t insights_client_tmp_t:file { open };
+
+kernel_dgram_send(insights_core_t)
+kernel_read_all_sysctls(insights_core_t)
+kernel_list_all_proc(insights_core_t)
+kernel_read_proc_files(insights_core_t)
+kernel_list_proc(insights_core_t)
+kernel_read_fs_sysctls(insights_core_t)
+kernel_read_network_state(insights_core_t)
+kernel_read_ring_buffer(insights_core_t)
+kernel_read_security_state(insights_core_t)
+kernel_read_software_raid_state(insights_core_t)
+kernel_read_sysctl(insights_core_t)
+
+corecmd_bin_entry_type(insights_core_t)
+corecmd_exec_bin(insights_core_t)
+
+corenet_tcp_bind_generic_node(insights_core_t)
+corenet_tcp_connect_http_port(insights_core_t)
+
+dev_getattr_all_blk_files(insights_core_t)
+dev_getattr_all_chr_files(insights_core_t)
+dev_read_kmsg(insights_core_t)
+dev_read_netcontrol(insights_core_t)
+dev_read_sysfs(insights_core_t)
+
+domain_getattr_all_sockets(insights_core_t)
+domain_connect_all_stream_sockets(insights_core_t)
+domain_getattr_all_domains(insights_core_t)
+domain_getattr_all_pipes(insights_core_t)
+domain_read_all_domains_state(insights_core_t)
+domain_read_view_all_domains_keyrings(insights_core_t)
+
+files_getattr_all_files(insights_core_t)
+files_getattr_all_blk_files(insights_core_t)
+files_getattr_all_chr_files(insights_core_t)
+files_getattr_all_file_type_fs(insights_core_t)
+files_getattr_all_pipes(insights_core_t)
+files_getattr_all_sockets(insights_core_t)
+files_read_all_symlinks(insights_core_t)
+files_read_non_security_files(insights_core_t)
+
+fs_get_all_fs_quotas(insights_core_t)
+fs_getattr_all_fs(insights_core_t)
+fs_getattr_nsfs_files(insights_core_t)
+fs_read_configfs_dirs(insights_core_t)
+
+optional_policy(`
+	anaconda_domtrans_install(insights_core_t)
+')
+
+optional_policy(`
+	auth_read_passwd_file(insights_core_t)
+')
+
+optional_policy(`
+	bind_domtrans_ndc(insights_core_t)
+#allow insights_core_t named_checkconf_exec_t:file { execute execute_no_trans };
+')
+
+optional_policy(`
+	bootloader_exec(insights_core_t)
+')
+
+optional_policy(`
+	brctl_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	chronyd_domtrans_chronyc(insights_core_t)
+')
+
+optional_policy(`
+	container_runtime_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(insights_core_t)
+')
+
+optional_policy(`
+	dmesg_exec(insights_core_t)
+')
+
+optional_policy(`
+	dmidecode_exec(insights_core_t)
+')
+
+optional_policy(`
+	fstools_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	gnome_search_gconf(insights_core_t)
+	gnome_map_generic_cache_files(insights_core_t)
+	gnome_write_generic_cache_files(insights_core_t)
+')
+
+optional_policy(`
+	gpg_entry_type(insights_core_t)
+	gpg_domtrans(insights_core_t)
+	gpg_domtrans_agent(insights_core_t)
+')
+
+optional_policy(`
+	hostname_exec(insights_core_t)
+')
+
+optional_policy(`
+	init_status(insights_core_t)
+	init_rw_stream_sockets(insights_core_t)
+')
+
+optional_policy(`
+	iptables_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	iscsid_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	journalctl_domtrans(insights_core_t)
+')
+
+
+optional_policy(`
+	libs_exec_ldconfig(insights_core_t)
+')
+
+optional_policy(`
+	lpd_domtrans_lpr(insights_core_t)
+')
+
+optional_policy(`
+	logging_domtrans_auditctl(insights_core_t)
+	logging_read_audit_config(insights_core_t)
+	logging_read_audit_log(insights_core_t)
+	logging_send_syslog_msg(insights_core_t)
+	logging_mmap_generic_logs(insights_core_t)
+')
+
+optional_policy(`
+	lvm_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	miscfiles_read_generic_certs(insights_core_t)
+')
+
+optional_policy(`
+	modutils_domtrans_kmod(insights_core_t)
+	modutils_read_module_deps_files(insights_core_t)
+')
+
+optional_policy(`
+	mount_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_chat(insights_core_t)
+')
+
+optional_policy(`
+	netutils_domtrans_traceroute(insights_core_t)
+')
+
+optional_policy(`
+	openvswitch_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	rhsmcertd_domtrans(insights_core_t)
+	rhsmcertd_read_config_files(insights_core_t)
+	rhsmcertd_write_config_files(insights_core_t)
+	#rhsmcertd_create_lib_files(insights_core_t)
+	#rhsmcertd_write_lib_files(insights_core_t)
+	rhsmcertd_manage_lib_files(insights_core_t)
+	rhsmcertd_append_log(insights_core_t)
+	rhsmcertd_create_log(insights_core_t)
+')
+
+optional_policy(`
+	rpm_domtrans(insights_core_t)
+')
+
+optional_policy(`
+	seutil_domtrans_semanage(insights_core_t)
+')
+
+optional_policy(`
+	ssh_exec(insights_core_t)
+	ssh_exec_sshd(insights_core_t)
+')
+
+optional_policy(`
+	#?sysnet_read_config(insights_core_t)
+	#sysnet_exec_ifconfig(insights_core_t)
+	sysnet_domtrans_ifconfig(insights_core_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_timedated(insights_core_t)
+	systemd_dbus_chat_localed(insights_core_t)
+	systemd_exec_notify(insights_core_t)
+	systemd_status_all_unit_files(insights_core_t)
+	systemd_userdbd_stream_connect(insights_core_t)
+')
+
+optional_policy(`
+	userdom_search_user_tmp_dirs(insights_core_t)
+	userdom_view_all_users_keys(insights_core_t)
+')
