From 0aa5bd25b5001d908e5ca1903945b59f87c8e371 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 4 Dec 2024 16:15:37 +0100 Subject: [PATCH] Add policy for insights-core The insights_core_t domain is used by the insights client with explicit transition using setexecfilecon(). --- policy/modules/contrib/insights_client.if | 22 +++ policy/modules/contrib/insights_client.te | 203 ++++++++++++++++++++++ 2 files changed, 225 insertions(+) diff --git a/policy/modules/contrib/insights_client.if b/policy/modules/contrib/insights_client.if index 3028e79eff..215c99b0d4 100644 --- a/policy/modules/contrib/insights_client.if +++ b/policy/modules/contrib/insights_client.if @@ -320,3 +320,25 @@ interface(`insights_client_write_tmp',` files_search_tmp($1) write_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t) ') + +######################################## +## +## Allow explicit transition to insights_core_t domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`insights_domtrans_core',` + gen_require(` + type insights_core_t; + ') + + allow $1 insights_core_t: process transition; + allow insights_core_t $1:fd use; + allow insights_core_t $1:fifo_file rw_file_perms; + allow insights_core_t $1:process sigchld; + allow insights_core_t $1:dir search_dir_perms; +') diff --git a/policy/modules/contrib/insights_client.te b/policy/modules/contrib/insights_client.te index 1c7f2040dd..a8347db98b 100644 --- a/policy/modules/contrib/insights_client.te +++ b/policy/modules/contrib/insights_client.te @@ -43,6 +43,13 @@ files_tmpfs_file(insights_client_tmpfs_t) type insights_client_unit_file_t; systemd_unit_file(insights_client_unit_file_t) +type insights_core_t; +role system_r types insights_core_t; +domain_type(insights_core_t) + +type insights_core_tmp_t; +files_tmp_file(insights_core_tmp_t) + ######################################## # # insights_client local policy @@ -417,3 +424,199 @@ optional_policy(` optional_policy(` virt_stream_connect(insights_client_t) ') + +######################################## +# +# insights_core local policy +# + +# an explicit transition using setexecfilecon() +insights_domtrans_core(insights_client_t) +allow init_t insights_core_t:fifo_file write; + +allow insights_core_t self:capability { dac_read_search setgid sys_admin }; +allow insights_core_t self:capability2 { checkpoint_restore syslog }; +allow insights_core_t self:process { getattr setpgid }; + +#allow insights_core_t self:socket_class_set create_socket_perms; +allow insights_core_t self:appletalk_socket create_socket_perms; +allow insights_core_t self:ax25_socket create_socket_perms; +allow insights_core_t self:ipx_socket create_socket_perms; +allow insights_core_t self:netlink_route_socket r_netlink_socket_perms; +allow insights_core_t self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read }; +allow insights_core_t self:netrom_socket create_socket_perms; +allow insights_core_t self:rose_socket create_socket_perms; +allow insights_core_t self:socket create_socket_perms; +allow insights_core_t self:tcp_socket create_stream_socket_perms; +allow insights_core_t self:udp_socket create_socket_perms; +allow insights_core_t self:unix_dgram_socket create_socket_perms; +allow insights_core_t self:unix_stream_socket connectto; +allow insights_core_t self:x25_socket create_socket_perms; + +manage_dirs_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t) +manage_files_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t) +files_tmp_filetrans(insights_core_t, insights_core_tmp_t, { dir file }) + +manage_files_pattern(insights_core_t, insights_client_cache_t, insights_client_cache_t) + +read_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t) +create_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t) +#allow insights_core_t insights_client_etc_t:file { write }; +allow insights_core_t insights_client_etc_rw_t:file { getattr ioctl open read setattr write }; + +manage_files_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t) +manage_dirs_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t) + +append_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t) +create_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t) + +allow insights_core_t insights_client_var_run_t:file { getattr read }; + +allow insights_core_t insights_client_tmp_t:file { open }; + +kernel_read_proc_files(insights_core_t) +kernel_list_proc(insights_core_t) +kernel_read_fs_sysctls(insights_core_t) +kernel_read_network_state_symlinks(insights_core_t) +kernel_read_software_raid_state(insights_core_t) +kernel_read_sysctl(insights_core_t) +kernel_view_key(insights_core_t) + +corecmd_bin_entry_type(insights_core_t) +corecmd_exec_bin(insights_core_t) + +corenet_tcp_bind_generic_node(insights_core_t) +corenet_tcp_connect_http_port(insights_core_t) + +dev_getattr_all_chr_files(insights_core_t) +dev_read_kmsg(insights_core_t) +dev_read_sysfs(insights_core_t) + +domain_getattr_all_sockets(insights_core_t) +domain_connect_all_stream_sockets(insights_client_t) +domain_getattr_all_domains(insights_client_t) +domain_getattr_all_pipes(insights_client_t) +domain_read_all_domains_state(insights_client_t) + +files_getattr_all_files(insights_core_t) +files_getattr_all_blk_files(insights_core_t) +files_getattr_all_chr_files(insights_core_t) +files_getattr_all_file_type_fs(insights_core_t) +files_getattr_all_pipes(insights_core_t) +files_getattr_all_sockets(insights_core_t) +files_read_all_symlinks(insights_core_t) +files_read_non_security_files(insights_core_t) + +fs_getattr_nsfs_files(insights_core_t) + +seutil_domtrans_semanage(insights_core_t) + +optional_policy(` + auth_read_passwd_file(insights_core_t) +') + +optional_policy(` + bootloader_exec(insights_core_t) +') + +optional_policy(` + chronyd_domtrans_chronyc(insights_core_t) +') + +optional_policy(` + dmesg_exec(insights_core_t) +') + +optional_policy(` + dmidecode_exec(insights_core_t) +') + +optional_policy(` + fstools_domtrans(insights_core_t) +') + +optional_policy(` + gnome_search_gconf(insights_core_t) +') + +optional_policy(` + gpg_entry_type(insights_core_t) + gpg_domtrans(insights_core_t) +') + +optional_policy(` + hostname_exec(insights_core_t) +') + + +optional_policy(` + init_rw_stream_sockets(insights_core_t) + init_view_key(insights_core_t) +') + +optional_policy(` + iptables_domtrans(insights_core_t) +') + + +optional_policy(` + journalctl_domtrans(insights_core_t) +') + + +optional_policy(` + libs_exec_ldconfig(insights_core_t) +') + +optional_policy(` + logging_domtrans_auditctl(insights_core_t) +') + +optional_policy(` + lvm_domtrans(insights_core_t) +') + +optional_policy(` + miscfiles_read_generic_certs(insights_core_t) +') + +optional_policy(` + modutils_domtrans_kmod(insights_core_t) +') + +optional_policy(` + mount_domtrans(insights_core_t) +') + + +optional_policy(` + networkmanager_dbus_chat(insights_core_t) +') + +optional_policy(` + rhsmcertd_read_config_files(insights_core_t) +') + +optional_policy(` + rpm_domtrans(insights_core_t) +') + +optional_policy(` + ssh_exec(insights_core_t) +') + +optional_policy(` + #?sysnet_read_config(insights_core_t) + sysnet_exec_ifconfig(insights_core_t) +') + +optional_policy(` + systemd_dbus_chat_timedated(insights_core_t) + systemd_dbus_chat_localed(insights_core_t) + systemd_exec_notify(insights_core_t) + systemd_status_all_unit_files(insights_core_t) +') + +optional_policy(` + userdom_search_user_tmp_dirs(insights_core_t) +')