From b887f389f517de41fc246fd730867821af8b870d Mon Sep 17 00:00:00 2001
From: aphralG <108004222+aphralG@users.noreply.github.com>
Date: Tue, 21 Nov 2023 16:15:11 +0000
Subject: [PATCH] fix selinux policy (#520)
---
scripts/selinux/nginx_agent.fc | 4 ++--
scripts/selinux/nginx_agent.if | 29 +++++++++++++++++++++++++++++
scripts/selinux/nginx_agent.pp | Bin 95276 -> 95726 bytes
scripts/selinux/nginx_agent.te | 7 ++++++-
4 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/scripts/selinux/nginx_agent.fc b/scripts/selinux/nginx_agent.fc
index b1b8b6b4bb..d66db2dd7c 100644
--- a/scripts/selinux/nginx_agent.fc
+++ b/scripts/selinux/nginx_agent.fc
@@ -1,5 +1,5 @@
-/usr/bin/nginx-agent -- gen_context(system_u:object_r:nginx_agent_exec_t,s0)
+/etc/systemd/system/nginx-agent.service -- gen_context(system_u:object_r:nginx_agent_unit_file_t,s0)
-/etc/nginx-agent(/.*)? -- gen_context(system_u:object_r:nginx_agent_config_t,s0)
+/usr/bin/nginx-agent -- gen_context(system_u:object_r:nginx_agent_exec_t,s0)
/var/log/nginx-agent(/.*)? gen_context(system_u:object_r:nginx_agent_log_t,s0)
diff --git a/scripts/selinux/nginx_agent.if b/scripts/selinux/nginx_agent.if
index ebd3c5c614..29efb35553 100644
--- a/scripts/selinux/nginx_agent.if
+++ b/scripts/selinux/nginx_agent.if
@@ -97,6 +97,30 @@ interface(`nginx_agent_manage_log',`
manage_files_pattern($1, nginx_agent_log_t, nginx_agent_log_t)
manage_lnk_files_pattern($1, nginx_agent_log_t, nginx_agent_log_t)
')
+########################################
+##
+## Execute nginx_agent server in the nginx_agent domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`nginx_agent_systemctl',`
+ gen_require(`
+ type nginx_agent_t;
+ type nginx_agent_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 nginx_agent_unit_file_t:file read_file_perms;
+ allow $1 nginx_agent_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, nginx_agent_t)
+')
+
########################################
##
@@ -119,6 +143,7 @@ interface(`nginx_agent_admin',`
gen_require(`
type nginx_agent_t;
type nginx_agent_log_t;
+ type nginx_agent_unit_file_t;
')
allow $1 nginx_agent_t:process { signal_perms };
@@ -130,6 +155,10 @@ interface(`nginx_agent_admin',`
logging_search_logs($1)
admin_pattern($1, nginx_agent_log_t)
+
+ nginx_agent_systemctl($1)
+ admin_pattern($1, nginx_agent_unit_file_t)
+ allow $1 nginx_agent_unit_file_t:service all_service_perms;
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
diff --git a/scripts/selinux/nginx_agent.pp b/scripts/selinux/nginx_agent.pp
index 6a2735074973ed8b2583d1fc6ef3fa4af8e92081..30f652faffe1eac7352147a1b9320451731ad2bb 100644
GIT binary patch
delta 226
zcmZ4Ug7w{NR-yj?H9r{{7#Nsb%Ds$#VOGA$-ER^Mag1G5sVrFlwIQp@7Y
z5{u%CO7k|~tMwAjAqk|*ctn_%W*K?VBRjw!+1Lr0Dv_gOaK4?
diff --git a/scripts/selinux/nginx_agent.te b/scripts/selinux/nginx_agent.te
index 16acfdfabd..a7faac2e4a 100644
--- a/scripts/selinux/nginx_agent.te
+++ b/scripts/selinux/nginx_agent.te
@@ -63,6 +63,8 @@ require {
type sssd_var_lib_t;
type net_conf_t;
type fixed_disk_device_t;
+ type nvme_device_t;
+ type udev_var_run_t;
}
allow nginx_agent_t bin_t:file { execute execute_no_trans };
@@ -142,4 +144,7 @@ allow nginx_agent_t sssd_public_t:dir search;
allow nginx_agent_t sssd_var_lib_t:dir search;
allow nginx_agent_t net_conf_t:file { getattr open read };
allow nginx_agent_t self:udp_socket { connect create getattr setopt };
-allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
\ No newline at end of file
+allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
+allow nginx_agent_t nvme_device_t:blk_file getattr;
+allow nginx_agent_t udev_var_run_t:dir search;
+allow nginx_agent_t udev_var_run_t:file { getattr open read };
\ No newline at end of file