From 1f2bea0ca724b8c382fbc423abe668d6ff257276 Mon Sep 17 00:00:00 2001
From: Aphral Griffin <a.griffin@f5.com>
Date: Wed, 6 Sep 2023 14:24:24 +0100
Subject: [PATCH 1/2] fix selinux policy

---
 scripts/selinux/README.md      |   2 +-
 scripts/selinux/nginx_agent.pp | Bin 143279 -> 95090 bytes
 scripts/selinux/nginx_agent.te | 208 ++++++++++++++-------------------
 3 files changed, 89 insertions(+), 121 deletions(-)

diff --git a/scripts/selinux/README.md b/scripts/selinux/README.md
index 5bf83b164..340a7c29a 100644
--- a/scripts/selinux/README.md
+++ b/scripts/selinux/README.md
@@ -56,7 +56,7 @@ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR --raw -se nginx_agent
 ```
 Generate new rule based on the errors by using `audit2allow`:
 ```
-sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR --raw -se nms -ts recent | audit2allow
+sudo ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR --raw -se nginx_agent -ts recent | audit2allow
 ```
 
 Update the `scripts/selinux/nginx_agent.te` file with the output from the `audit2allow` command.
diff --git a/scripts/selinux/nginx_agent.pp b/scripts/selinux/nginx_agent.pp
index 6834be7e8f2d0374fea104c8f0f2162c83e1fd86..055c8e21b7ccc9b1980c37a6533a2b047137def4 100644
GIT binary patch
delta 1568
zcmZ8heN3BW5Pz@jOG|0_D$<uiKbXii#171uW)cRQ!WgB(;zxqnx<YX!V#}a&lXl3y
z94vEV-XG6mqV5lqWjKcmF(fm<=77XZff-3GgB8f)k{O9$L^N#md7jegY;x({@A=(5
z_uSokJt5WN&!X;3IPez;f*_-kLgm{UxT4dj#B{2s_hzZ`Kr1qp$^oaZ&W%pdh`C9+
z-ea+E?b8-em`NNJ1zz!|quyVLNBkM+^(WvZf3_G;Pc|a7rR!Q+T3n8IoXw8LhFXU&
zmg4ca&|yYxy9yurV=+H)4xNW`A)m2v{7@cPsAd*pC^MH~aUQR$-r-}miE}<^Q^S*7
z>ut00o3gnz)~UpX_eS7pZdJ6$i5lvY!z^`+yS}l}QGc+$4%^zd!Fo=aZr6%xN?F6L
zt%qy5RlqEjr{3qN^LpOIl_ML)BuaXQ!3n-*r>CW<*?aI^N0YbNhi8u!W9ISaMOG{`
zW2kEzJdtFrJnH;$HEiIT*B^r=@2}-l9jE%<ZgTjTr;!uNPUL_V^N(88tYl65Ya1Kt
z@Z%GE`7_o&im|6d4eO$oywSTC`#bhSCP(a@8c|CFKFh7KPOZoao`uziEg~;JjvqDm
zww`nq%RPdCFj0bEx2E9fA2q#OZ~mgi^4T;j`k`X=zZ_(^uQe4P{#LoF&Cf-(-OEw!
z5k@>lcp1N#O;fU73B?K;|3#ub0BNLK1RD-aO8C)?TTW+=ozP2M>>_rk!KG;%-k-h(
z0w#pY@bn#t4}gqYHItH3Nh31Hq|i%PGwGrtku?D*MAK+IR()sScPds1rWpx0-*(Ft
zf`&WXzb)a&Yz4~==YDd_lZEpfw+1Cthg=l1;nk2)R-DCQ`&5Qp5G<JaYbkE|TaVpA
z4Sq6RMZ*ak>si)wm&?o2f1bLHr@``6(2oKpA~q|9D&j}Blz?89Kmmpkj~`x@bwM-{
zh$Ux|p`2KhV2F|wjP#0Ja0_Ji4cMiO_!biYaN_0Qc2ZOVQWT8_daM%msYr^l$a6?o
z1A21x7*vv;B+zqe3_V(yu2$052{MI17UICU+6G$3Xf#rt3%gjWD)G}L9nR0G$(OCL
z2~EL7*4W2-fkiiCFfmk$)?fx3Zv|l2Ni&*$&&Kmh$)u<db~1&|m7R<S;58Z~mv|)D
z&Kz*ZXeo9D4QT(vMs10VN_2LtK@;Z9v4|3}Zw5QgET*z-Dr6QJj@_-}!?k-NGP$O^
zY}hjJ&VwD~lpa#~@X&@5Fwi2h4zcdeJ}AR;D+XFe745D~n@CY9ku62~!#%C(WYYyY
zU!Mmw%9ZeZI2<<joxK2`0VuH~kb>4R4aQGsNcTlB^aU=$JslJfS3lH{seVX}Webq6
zK5}b>egI4T@C12k0IJBX0WcDA5MCg!4^r~tAY6)Pd+Of}MY^wnjhL>(P7T{m(M?30
zH$X=m-+)oa_R;?~5j)Kz*Kfc&k~Rbzh+_!Wldp#8t$z+dP6AsBJe|l|A^F2Jfe(k_
TIdX3p9K=5Y#=h@IV9xyy^~(bz

delta 8973
zcmeHNdu&tJ8TU1Q=Vb^bu@lD$MPh}P$5uL4XfcB(fuxks(v@w*IJQY#634M`Iv_6x
z_RpBam_AK+Wn0juZQ38BjHMFNCZSFu4WWrC6)oe@q{%`^6D29rG-+A~`@VC1ukXEf
zy7&G{By;ci-sha}JLlZ<<Bt=@b0e1g?>ub(3#ZfR^!QtfKU0DJe15jY=)`wt?+VL0
zuGeS%L5p!8w)X+o=H+&PuWc2V3;WyLaHiV`$J*AyNZSUZ4JE2zac6OEkZ<KfjWI88
zMN$r|J?@6iJ_~r-8=2XyjB@gl#eFCk4F?;&u_G})*yN4zK0fG;27Q5Gl#FdcM@4z{
zu~;P9eE5i$x3Cb92Cm~~j)z~iKMrFZ#o2)df5h+Q&B%U*RNznT>$r{V&C_8p68&jv
zW!DFJ9_^Tru!jP*H3x!X^NURSM2C%A11-l(ptobSaWRT*fKzQn%j$eFjH}suFw}_h
zM<PKxvMNY$3C11pHa6FX!T~Rzi{$6gQW+RJ`?;O?=Fav;nxnjzr~bTz8pY;VL%<sj
z@=)BhjjLg9+q!a$g~(q`7M;wZI3j+&(HlG*#J-XG7AE|Qt~z5rwpLNA(BBYk4j&14
zTf-qf8D2Ir_Y!k)G=gL5kA@=XpCT?N|90}P5Vu3q@#WMFuOCgl+Fa-5DVFuASdzVa
z%@_4XTf-vz$rL-{i^aYX@XG8g)Lu^h?UCljkpIXbjErA`L_H4qN;nWV8H=#>1+w5`
zolRQs)d$0TvcHsxo5_eno_=M_$lcDm7-^322SbOwO+L(^D0UO(j=LX`sF9HWP;11?
z(@gG0`7*o02!*tbj1>4<10h~DD5UTu;w=+XMx$nD3H;l*(?}`#WfIIu8evKL1f%%t
zqs`=<hSNfML}?43#uqa!50gn20MmK~M`XE)H=_9C#Dpiht=x<BmgNsp4pAaMMeS^w
zD$F+`ynuu<=<Hs}^897SZt{f#IFFR)&!N#`8_hX0oKJik--Kb2@(L!-w}ykrC-F)m
zWVHr@uZi+5YQt3bDkJ6g=a{%Ox-CuhQP^^<-na}|pQq_8OrK7k(y<!#%3$!AjoU?U
zHq0ooSXPpjm69(|*BT4JUyrqN&mwK5k<?1a-Qw1;zd3v`#6qO?<T0Y=N{P?sAn7a2
z{zY6Avf;ZO?wnAxrOwyr3;VHJtx(qC&W%R=b*x0m!dkLmql9e?;V@Ytx7*#D`^|u7
z(FVN^M*FwoYE|6(-le%5Xu9KqiHS-G-zkLJ531n#n__#{O|jiHL+t~M_p{p$NDP=@
za-tl5ep}@K?L$%i!G~gd^nFR@IiUC253=FnY&DGCc#HX&`h79X-Z>!KIgR>PZ&twY
ztwNbLe9I3xH&S+TZUmqMZC$)w1w*3_STkJ>iP1uMFsN=5{f&<b%{0$1ZeIaq80WXg
z3Yh$fu|f#HvlA-ccCvQQ-C}t5<4Ta8#3y}vu1ZwFx5h+2)P69SS+8fX9NruVK>N58
zW8cY@!teTBaAIZ${9(KRy;UNm<!C;fI%<H#JJrh8B@3)cY*$cb6H0z=zhx2CRLj7A
z)=TO=MZvtiFZN(;T#Oi>W=f`|dIL?Z!lq~?o=(-<br2b-o!9j6v}l^1G-z)QIR7bG
z8n|mS4%GzEP|(0WHCqg?PF3Qw5UxzA+ARF8rwwp_#wW>`DeZ~&<Gvzzcg6s3O)h~?
za3Fi;9Pn<3nFiG=ZR@3Qrq4B>R1Qhe5`_bbLwfb27t97~;25Ze%SLiI>d1l8i3)I!
z6yY3IfNR8Id<Lmoz>Rg{AEueD0^hKUaec!yGt_pN>4c%vaV+nyj*8vRl&7SRd8`<w
z3i#oybCH;{6`Tjo4;`Qw<rmDO89&Z!*&w5r!uoqy4p%Eks1&-#9T>Oh_srcQme;c^
zZ>!)(cU^LxQ)Z_4#Vme_pGp4KWI3F==Y(f3@5E;bByjpVG3ziT3~`F?S3^GN7<aIO
zp%m@;xEce&gquFFP^i$pP^kZ5p_;@(#d56FV}4(}gv(N*q6Cv($9d>q#UE9#RHi%h
zcoy3=<fW4az9sdNt<LE>mrn0Nj`B}hN~AjatomKpXH*L(EbKG18~uCx3?{ZkN>G;A
z7LPJ5@m-VH205_}k{(NJ1F*z4WKx$lCiS%aqa(@5={>j=;aaZRiafLx={@V9cCt>7
zn~$QnQbY_z@3BiF$x8HiM1n`9BNI_a-1%5{JaRYVqE=j~g?o(JMeU>y7D{$u$N4WF
z4L9V(lhsEhWk{Xm+1Y(#W^R^TtvWhhs%_|H8?{3om41qo$Y4FiolVT6$NWlVUN)gQ
zL)NIA;b%qiqeL4<ijygf6jvLD%+Z8VzEG13r@;Tw=Nd~j{Mtx<$f+wW_1)cbSzR$Q
z=QAtSK5vPnIGIW$#nqOG%u$tyc7?#rRlYA!$F1OGSRqneann|OKdNg#E<4cHeu|T+
zV=1n-V=_n8v1?O)ye6t;*GA$sP!(<K|MC%Fw>6Gxw5WRE+;z7#58v?Jf*-r>1#t3G
zac&&jj86;>c3&@n2jdo)=wFwoVi|Poc4lH?qgutlR62)WS)?bCw`<JgqwxD2jJ~%Y
z*4)~x7Pp|dTaTAZ>l3f59pHTeUH=^I-<W~EHv^5ys;%2uFo~&5CS1@nm`<-5aM48o
zoE^&S;?`uk4uy%f(p|rtG0OSf()HJ|^sq|Bkw|l$q^G$q#a?S%r$p5uAzkdTCVCIV
z`%2*S_>P4gXJN<rKkYc``iWB#Yf14wr<q+!=-6pcoy#7%Ow?+g^m0Ja`O_XZL0qi*
zHz<}$_hmO;%57Hr!<&%qJ_nZvd6PTjduzP1V|RL2rZy||M@Ak6EME-;3s*_$V?LA=
z)Jm6mFsO~AR9cBO@s&c&br&RVYE~?~kEIn0S8k2GeI9wsJo1)#<ULG2ZJEO@hy1F?
z;oJa1y%W3CceFK%L72Yc#tTyAU=jr<LnDL3qNbR{<2%^rYTdMRiA|mE(}%MU>Cb~S
ze9&Ik+dcPF4$l7h5!?Z@;f=m*IDOyQ+j#$8KDSSJ$;f@xN?=xqAXDM2jdKXUHgZdZ
zF(c>5wIKt+*(7`|%o(|_?<ORCexRBhN<Y$;@k(Bz(vxsPau`J{SJ-0W9y1VTE$lUM
zyQ~DnF_=;Ko{4M7BJ42<I15{C+_EJE-HLdygft6tChj-c<Smv&lZ6Xru6ik5<4ckf
zf-Iajb4!Iq7H&@$!NwA9ra&~6aS~FZgpHLv7Ka8sPUDM6z6>QR`TLdOX+dSBpi)kY
zE-U4-FjyI57JL?NT^AwC(g<XLm6h5AG0T%R&u~zeCAd?9n3Xn^d;*&f65gv6pvi3D
z`G^W#RtgXbosK^%CCG#Zg{Hpd3l}V$YXv2i1U)OYh%N!p!etBhB$JfjX00R+8U0@a
zUiieqZ89=+S#VgnO>WA~B$}+$AqbIDPbjx?k20YohO8ALBw6^HmD^~il9Ps#kYnK|
zXx~ZDamM-Lg=<!B8`Bc`B0?;fY+Tby%2FjPtn_L{UNXsrpp9FdL&7p3EOgtrd~*^F
Q7V<1y!G+gt+|7o+13vgp&Hw-a

diff --git a/scripts/selinux/nginx_agent.te b/scripts/selinux/nginx_agent.te
index 541111474..24fbf6202 100644
--- a/scripts/selinux/nginx_agent.te
+++ b/scripts/selinux/nginx_agent.te
@@ -35,141 +35,109 @@ files_read_etc_files(nginx_agent_t)
 
 miscfiles_read_localization(nginx_agent_t)
 
+domain_read_all_domains_state(nginx_agent_t)
+
 require {
-	type unconfined_t;
+	type bin_t;
+	type fs_t;
+	type sysctl_net_t;
+	type proc_net_t;
+	type sysfs_t;
+	type var_lib_t;
 	type var_run_t;
-	type rpcbind_t;
-	type system_cronjob_t;
-	type policykit_t;
-	type irqbalance_t;
-	type tuned_t;
-	type postfix_pickup_t;
-	type dhcpc_t;
-	type system_dbusd_t;
-	type postfix_qmgr_t;
-	type nginx_agent_t;
-	class sock_file { create setattr unlink };
-	class netlink_route_socket { bind create getattr nlmsg_read };
-	class capability sys_ptrace;
-	class dir { getattr search };
-	class file { getattr open read };
+	type httpd_config_t;
+	type httpd_exec_t;
+	type httpd_log_t;
+	type passwd_file_t;
+	type shell_exec_t;
+	type http_port_t;
+	type node_t;
+	type transproxy_port_t;
+	type cert_t;
+	type httpd_t;
+	type httpd_var_run_t;
+	type dosfs_t;
+	type httpd_cache_t;
+	class dir watch;
+	type sssd_public_t;
+	type sssd_var_lib_t;
+	type net_conf_t;
 }
 
-#============= nginx_agent_t ==============
-allow nginx_agent_t dhcpc_t:dir { getattr search };
-allow nginx_agent_t dhcpc_t:file { getattr open read };
-allow nginx_agent_t irqbalance_t:dir { getattr search };
-allow nginx_agent_t irqbalance_t:file { getattr open read };
-allow nginx_agent_t policykit_t:dir { getattr search };
-allow nginx_agent_t policykit_t:file { getattr open read };
-allow nginx_agent_t postfix_pickup_t:dir { getattr search };
-allow nginx_agent_t postfix_pickup_t:file { getattr open read };
-allow nginx_agent_t postfix_qmgr_t:dir { getattr search };
-allow nginx_agent_t postfix_qmgr_t:file { getattr open read };
-allow nginx_agent_t rpcbind_t:dir { getattr search };
-allow nginx_agent_t rpcbind_t:file { getattr open read };
+allow nginx_agent_t bin_t:file { execute execute_no_trans };
+allow nginx_agent_t fs_t:filesystem getattr;
+allow nginx_agent_t proc_net_t:file { getattr open read };
+allow nginx_agent_t proc_t:dir read;
+allow nginx_agent_t proc_t:file { getattr open read };
+allow nginx_agent_t proc_t:filesystem getattr;
 allow nginx_agent_t self:capability sys_ptrace;
 allow nginx_agent_t self:netlink_route_socket { bind create getattr nlmsg_read };
-allow nginx_agent_t system_cronjob_t:dir { getattr search };
-allow nginx_agent_t system_cronjob_t:file { getattr open read };
-allow nginx_agent_t system_dbusd_t:dir { getattr search };
-allow nginx_agent_t system_dbusd_t:file { getattr open read };
-allow nginx_agent_t tuned_t:dir { getattr search };
-allow nginx_agent_t tuned_t:file { getattr open read };
-allow nginx_agent_t unconfined_t:dir { getattr search };
-allow nginx_agent_t unconfined_t:file { getattr open read };
-allow nginx_agent_t var_run_t:sock_file { create setattr unlink };
-chronyd_systemctl(nginx_agent_t)
-corecmd_exec_ls(nginx_agent_t)
-cron_read_state_crond(nginx_agent_t)
-dev_list_sysfs(nginx_agent_t)
-dev_read_sysfs(nginx_agent_t)
-files_manage_generic_tmp_files(nginx_agent_t)
-files_read_var_lib_files(nginx_agent_t)
-files_rw_pid_dirs(nginx_agent_t)
-fs_getattr_xattr_fs(nginx_agent_t)
-getty_systemctl(nginx_agent_t)
-gssproxy_systemctl(nginx_agent_t)
-init_read_state(nginx_agent_t)
-kernel_getattr_proc(nginx_agent_t)
-kernel_list_proc(nginx_agent_t)
-kernel_read_net_sysctls(nginx_agent_t)
-kernel_read_network_state(nginx_agent_t)
-kernel_read_state(nginx_agent_t)
-kernel_read_system_state(nginx_agent_t)
-kernel_search_network_sysctl(nginx_agent_t)
-logging_systemctl_audit(nginx_agent_t)
-postfix_read_master_state(nginx_agent_t)
-ssh_systemctl(nginx_agent_t)
-systemd_logind_read_state(nginx_agent_t)
-udev_read_state(nginx_agent_t)
+allow nginx_agent_t sysctl_net_t:dir search;
+allow nginx_agent_t sysctl_net_t:file { open read };
+allow nginx_agent_t sysfs_t:dir read;
+allow nginx_agent_t sysfs_t:file { getattr open read };
+allow nginx_agent_t sysfs_t:lnk_file read;
 
-require {
-	type policykit_t;
-	type dhcpc_t;
-	type rpcbind_t;
-	type nginx_agent_t;
-	class dir { getattr search };
-	class file { getattr open read };
-}
-
-#============= nginx_agent_t ==============
+#!!!! WARNING: 'tmp_t' is a base type.
+allow nginx_agent_t tmp_t:file write;
 
-#!!!! This avc is allowed in the current policy
-allow nginx_agent_t dhcpc_t:dir { getattr search };
+#!!!! WARNING: 'var_lib_t' is a base type.
+allow nginx_agent_t var_lib_t:file { getattr open read };
 
-#!!!! This avc is allowed in the current policy
-allow nginx_agent_t policykit_t:file { getattr open read };
+#!!!! WARNING: 'var_run_t' is a base type.
+allow nginx_agent_t var_run_t:dir { add_name remove_name write };
 
-#!!!! This avc is allowed in the current policy
-allow nginx_agent_t rpcbind_t:file { getattr open read };
-kernel_read_network_state(nginx_agent_t)
-
-require {
-	type unconfined_t;
-	type httpd_var_run_t;
-	type http_port_t;
-	type nginx_agent_t;
-	type netutils_t;
-	class capability { dac_override net_bind_service };
-	class tcp_socket { bind connect create getattr getopt name_bind name_connect setopt };
-	class lnk_file read;
-	class dir { getattr search };
-	class file { getattr open read write };
-}
+#!!!! WARNING: 'var_run_t' is a base type.
+allow nginx_agent_t var_run_t:sock_file { create setattr unlink };
 
-#============= nginx_agent_t ==============
-allow nginx_agent_t http_port_t:tcp_socket { name_bind name_connect };
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow nginx_agent_t bin_t:file map;
+allow nginx_agent_t httpd_config_t:dir { getattr open read search };
+allow nginx_agent_t httpd_config_t:file { getattr open read };
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow nginx_agent_t httpd_exec_t:file map;
+allow nginx_agent_t httpd_exec_t:file { execute execute_no_trans getattr open read };
+allow nginx_agent_t httpd_log_t:dir search;
+allow nginx_agent_t passwd_file_t:file { getattr open read };
+allow nginx_agent_t self:capability dac_read_search;
+
+#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
+allow nginx_agent_t shell_exec_t:file map;
+allow nginx_agent_t shell_exec_t:file { execute execute_no_trans };
+allow nginx_agent_t tmp_t:dir { add_name write };
+allow nginx_agent_t tmp_t:file create;
+allow nginx_agent_t http_port_t:tcp_socket name_connect;
+allow nginx_agent_t self:tcp_socket { connect create getattr getopt setopt };
+allow nginx_agent_t httpd_config_t:lnk_file getattr;
+allow nginx_agent_t node_t:tcp_socket node_bind;
+allow nginx_agent_t self:tcp_socket { accept bind listen };
+allow nginx_agent_t transproxy_port_t:tcp_socket name_bind;
+
+allow nginx_agent_t cert_t:file { getattr open read };
+allow nginx_agent_t http_port_t:tcp_socket name_bind;
+allow nginx_agent_t httpd_config_t:file write;
+allow nginx_agent_t httpd_log_t:file { open read };
+allow nginx_agent_t httpd_t:process signal;
 allow nginx_agent_t httpd_var_run_t:file { open read write };
-allow nginx_agent_t netutils_t:dir { getattr search };
-allow nginx_agent_t netutils_t:file { getattr open read };
 allow nginx_agent_t self:capability { dac_override net_bind_service };
-allow nginx_agent_t self:tcp_socket { bind connect create getattr getopt setopt };
-allow nginx_agent_t unconfined_t:lnk_file read;
-apache_exec(nginx_agent_t)
-apache_manage_config(nginx_agent_t)
-apache_read_config(nginx_agent_t)
-apache_read_log(nginx_agent_t)
-apache_signal(nginx_agent_t)
-apache_systemctl(nginx_agent_t)
-auth_read_passwd(nginx_agent_t)
-corenet_tcp_bind_generic_node(nginx_agent_t)
-files_manage_urandom_seed(nginx_agent_t)
-miscfiles_read_certs(nginx_agent_t)
+allow nginx_agent_t cert_t:dir search;
 
-require {
-	type sshd_net_t;
-	type rpm_script_t;
-	type mandb_t;
-}
+#!!!! WARNING: 'var_lib_t' is a base type.
+allow nginx_agent_t var_lib_t:file write;
 
-allow nginx_agent_t mandb_t:dir { getattr search };
-allow nginx_agent_t mandb_t:file { getattr open read };
-allow nginx_agent_t rpm_script_t:dir { getattr search };
-allow nginx_agent_t rpm_script_t:file { getattr open read };
-allow nginx_agent_t sshd_net_t:dir { getattr search };
-allow nginx_agent_t sshd_net_t:file { getattr open read };
+allow nginx_agent_t dosfs_t:filesystem getattr;
+allow nginx_agent_t httpd_cache_t:dir { getattr search };
+allow nginx_agent_t proc_net_t:lnk_file read;
+allow nginx_agent_t tmp_t:file open;
+allow nginx_agent_t httpd_config_t:dir watch;
 
 apache_list_cache(nginx_agent_t)
+apache_manage_config(nginx_agent_t)
 fs_getattr_dos_fs(nginx_agent_t)
-init_read_script_state(nginx_agent_t)
+kernel_read_network_state_symlinks(nginx_agent_t)
+
+allow nginx_agent_t sssd_public_t:dir search;
+allow nginx_agent_t sssd_var_lib_t:dir search;
+allow nginx_agent_t net_conf_t:file { getattr open read };
+allow nginx_agent_t self:udp_socket { connect create getattr setopt };

From 3d1e909e9f80d92676c9097c15523a478dc65342 Mon Sep 17 00:00:00 2001
From: Aphral Griffin <a.griffin@f5.com>
Date: Wed, 6 Sep 2023 15:16:37 +0100
Subject: [PATCH 2/2] rocky 8 change

---
 scripts/selinux/nginx_agent.pp | Bin 95090 -> 95276 bytes
 scripts/selinux/nginx_agent.te |   2 ++
 2 files changed, 2 insertions(+)

diff --git a/scripts/selinux/nginx_agent.pp b/scripts/selinux/nginx_agent.pp
index 055c8e21b7ccc9b1980c37a6533a2b047137def4..6a2735074973ed8b2583d1fc6ef3fa4af8e92081 100644
GIT binary patch
delta 165
zcmezLjCIWmR-yj?H9r{{7#Ns<SOkchqc;k@s$w+*GR-zKR`am23WJ!F6RV|#(=sbk
zQ{q!Hi?icXQp+-vQ{ziE^EReBGv_lfOn!LWadO>Jna!7uIA~2)dgjKcFj?`aC@VKm
ux4>k@U&50=RPjvKdmqGTzq#@KB~eDR?IEm;E11PW#$z#f`v(rjrYrzV=r_0k

delta 103
zcmZ4Ug7wogR-yj?H9r{{7#Ns<SOkbqMr{;&RmExwWSVYftma|c?9iC%%$&!-FnPmq
z$H~4&6*hAowb7dVph{-)(f2`&@{=e0lAV0_2+!oa7LLuH9~O!-nr?s1%D94g`!-I-
GvMc~w2qtU*

diff --git a/scripts/selinux/nginx_agent.te b/scripts/selinux/nginx_agent.te
index 24fbf6202..16acfdfab 100644
--- a/scripts/selinux/nginx_agent.te
+++ b/scripts/selinux/nginx_agent.te
@@ -62,6 +62,7 @@ require {
 	type sssd_public_t;
 	type sssd_var_lib_t;
 	type net_conf_t;
+	type fixed_disk_device_t;
 }
 
 allow nginx_agent_t bin_t:file { execute execute_no_trans };
@@ -141,3 +142,4 @@ allow nginx_agent_t sssd_public_t:dir search;
 allow nginx_agent_t sssd_var_lib_t:dir search;
 allow nginx_agent_t net_conf_t:file { getattr open read };
 allow nginx_agent_t self:udp_socket { connect create getattr setopt };
+allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
\ No newline at end of file