merge from main

scripts/selinux/README.md

@@ -2,6 +2,17 @@
 
 https://www.redhat.com/en/topics/linux/what-is-selinux
 
+# Table of Contents
+- [Prerequisites](#prerequisites)
+- [Enable SELinux](#enable-selinux)
+- [Install NGINX Agent Policy](#install-nginx-agent-policy)
+- [Updating existing policy](#updating-existing-policy)
+- [Troubleshooting](#troubleshooting)
+    - [Policy version does not match](#policy-version-does-not-match)
+    - [Unknown Type](#unknown-type)
+- [Debugging](#debugging)
+- [References](#references)
+
 ## Prerequisites
 ```
 sudo yum install policycoreutils-devel rpm-build
@@ -26,6 +37,9 @@ Policy MLS status:              enabled
 Policy deny_unknown status:     allowed
 Max kernel policy version:      31
 ```
+
+
+## Install NGINX Agent Policy
 To install the nginx-agent policy run the following commands:
 ```
 sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
@@ -36,10 +50,62 @@ sudo restorecon -R /etc/nginx-agent
 ```
 
 ## Updating existing policy
-Copy the folder `scripts/selinux` over to your rhel server.
-Then run the following command to update the policy:
+Check for errors by using the `ausearch` command:
+```
+sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR --raw -se nginx_agent -ts recent
+```
+Generate new rule based on the errors by using `audit2allow`:
+```
+sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR --raw -se nms -ts recent | audit2allow
+```
+
+Update the `scripts/selinux/nginx_agent.te` file with the output from the `audit2allow` command.
+
+Copy the `scripts/selinux/nginx_agent.te` file to a Centos 7 machine and build a new `nginx_agent.pp` file by running the following command:
+```
+make -f /usr/share/selinux/devel/Makefile nginx_agent.pp
+```
+**[NOTE: The policy has to be built on a Centos 7 machine. If it is built on a different OS like RHEL 8/9 then we will encounter this issue [Policy version does not match](#policy-version-does-not-match) when installing it on an older OS like Centos 7. Even if the `audit2allow` command was run on a RHEL 8/9 machine the updates to the policy need to be made on a Centos 7 machine.]**
+
+Install the policy by following the steps here [Install NGINX Agent Policy](#install-nginx-agent-policy)
+
+Then create a PR with the changes made to the `nginx_agent.te` and `nginx_agent.pp` files.
+
+## Troubleshooting
+### Policy version does not match
+If running the command
+```
+sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
+```
+results in the following error
+```
+libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
+nginx_agent: libsepol.policydb_read: policydb module version 21 does not match my version range 4-19
+nginx_agent: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
+nginx_agent: Failed to read policy package
+libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
+ (No such file or directory).
+semodule:  Failed!
+```
+this usually means that the policy file was built on a newer environment than isn't complicate with the environment the policy is being installed on.
+
+To resolve this issue the policy file needs to be rebuilt on a Centos 7 environment. See [Updating existing policy](#updating-existing-policy) for instruction on how to rebuild a policy file.
+
+### Unknown Type
+If running the command
+```
+sudo semodule -n -i /usr/share/selinux/packages/nginx_agent.pp
+```
+results in the following error
+```
+/usr/bin/checkmodule:  loading policy configuration from tmp/nginx_agent.tmp
+nginx_agent.te:52:ERROR 'unknown type bin_t' at token ';' on line 4301:
+```
+that means that the type is unknown and needs to be added to the require block in the `nginx_agent.te` file like this:
 ```
-sudo ./nginx_agent.sh --update
+require {
+    bin_t
+}
 ```
 
 ## Debugging
@@ -48,4 +114,4 @@ sudo ./nginx_agent.sh --update
 * For debugging nginx selinux issues refer to this nginx blog: https://www.nginx.com/blog/using-nginx-plus-with-selinux
 
 ## References
-* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux
+* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux

src/plugins/common.go

@@ -31,7 +31,7 @@ func LoadPlugins(commander client.Commander, binary core.NginxBinary, env core.E
 		}
 	}
 
-	if loadedConfig.IsFeatureEnabled(agent_config.FeatureMetrics) || loadedConfig.IsFeatureEnabled(agent_config.FeatureMetricsSender) && reporter != nil {
+	if (loadedConfig.IsFeatureEnabled(agent_config.FeatureMetrics) || loadedConfig.IsFeatureEnabled(agent_config.FeatureMetricsSender)) && reporter != nil {
 		corePlugins = append(corePlugins,
 			NewMetricsSender(reporter),
 		)