fix selinux policy

nginx · Nov 21, 2023 · 671beca · 671beca
1 parent 89fc334
commit 671beca
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/scripts/selinux/nginx_agent.fc b/scripts/selinux/nginx_agent.fc
@@ -1,5 +1,5 @@
-/usr/bin/nginx-agent		--	gen_context(system_u:object_r:nginx_agent_exec_t,s0)
+/etc/systemd/system/nginx-agent.service		--	gen_context(system_u:object_r:nginx_agent_unit_file_t,s0)
 
-/etc/nginx-agent(/.*)?	    --	gen_context(system_u:object_r:nginx_agent_config_t,s0)
+/usr/bin/nginx-agent		--	gen_context(system_u:object_r:nginx_agent_exec_t,s0)
 
 /var/log/nginx-agent(/.*)?		gen_context(system_u:object_r:nginx_agent_log_t,s0)
diff --git a/scripts/selinux/nginx_agent.if b/scripts/selinux/nginx_agent.if
@@ -97,6 +97,30 @@ interface(`nginx_agent_manage_log',`
 	manage_files_pattern($1, nginx_agent_log_t, nginx_agent_log_t)
 	manage_lnk_files_pattern($1, nginx_agent_log_t, nginx_agent_log_t)
 ')
+########################################
+## <summary>
+##	Execute nginx_agent server in the nginx_agent domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`nginx_agent_systemctl',`
+	gen_require(`
+		type nginx_agent_t;
+		type nginx_agent_unit_file_t;
+	')
+
+	systemd_exec_systemctl($1)
+        systemd_read_fifo_file_passwd_run($1)
+	allow $1 nginx_agent_unit_file_t:file read_file_perms;
+	allow $1 nginx_agent_unit_file_t:service manage_service_perms;
+
+	ps_process_pattern($1, nginx_agent_t)
+')
+
 
 ########################################
 ## <summary>
@@ -119,6 +143,7 @@ interface(`nginx_agent_admin',`
 	gen_require(`
 		type nginx_agent_t;
 		type nginx_agent_log_t;
+	type nginx_agent_unit_file_t;
 	')
 
 	allow $1 nginx_agent_t:process { signal_perms };
@@ -130,6 +155,10 @@ interface(`nginx_agent_admin',`
 
 	logging_search_logs($1)
 	admin_pattern($1, nginx_agent_log_t)
+
+	nginx_agent_systemctl($1)
+	admin_pattern($1, nginx_agent_unit_file_t)
+	allow $1 nginx_agent_unit_file_t:service all_service_perms;
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)

diff --git a/scripts/selinux/nginx_agent.pp b/scripts/selinux/nginx_agent.pp
diff --git a/scripts/selinux/nginx_agent.te b/scripts/selinux/nginx_agent.te
@@ -63,6 +63,8 @@ require {
 	type sssd_var_lib_t;
 	type net_conf_t;
 	type fixed_disk_device_t;
+	type nvme_device_t;
+	type udev_var_run_t;
 }
 
 allow nginx_agent_t bin_t:file { execute execute_no_trans };
@@ -142,4 +144,7 @@ allow nginx_agent_t sssd_public_t:dir search;
 allow nginx_agent_t sssd_var_lib_t:dir search;
 allow nginx_agent_t net_conf_t:file { getattr open read };
 allow nginx_agent_t self:udp_socket { connect create getattr setopt };
-allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
+allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
+allow nginx_agent_t nvme_device_t:blk_file getattr;
+allow nginx_agent_t udev_var_run_t:dir search;
+allow nginx_agent_t udev_var_run_t:file { getattr open read };