## policy for insights_client
########################################
##
## Execute insights_client_exec_t in the insights_client domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`insights_client_domtrans',`
gen_require(`
type insights_client_t, insights_client_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, insights_client_exec_t, insights_client_t)
')
######################################
##
## Execute insights_client in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_exec',`
gen_require(`
type insights_client_exec_t;
')
corecmd_search_bin($1)
can_exec($1, insights_client_exec_t)
')
########################################
##
## Read and write a insights_client unnamed pipe.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_rw_pipes',`
gen_require(`
type insights_client_t;
')
allow $1 insights_client_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
## Allow the specified domain to search
## insights configuration dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_search_config',`
gen_require(`
type insights_client_etc_t;
')
files_search_etc($1)
allow $1 insights_client_etc_t:dir search_dir_perms;
')
########################################
##
## Transition to insights_client named content
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_filetrans_named_content',`
gen_require(`
type insights_client_etc_t, insights_client_etc_rw_t;
type insights_client_tmp_t;
type insights_client_var_run_t;
')
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".cache.json")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".cache.json.asc")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".insights-core.etag")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".insights-core-gpg-sig.etag")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".lastupload")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".last-upload.results")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".registered")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".unregistered")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, "insights-client-egg-release")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, "machine-id")
files_pid_filetrans($1, insights_client_var_run_t, file, "insights-client.pid")
files_tmp_filetrans($1, insights_client_tmp_t, dir, "insights-client")
files_tmp_filetrans($1, insights_client_tmp_t, file, "insights-client.ppid")
')
########################################
##
## Transition to insights_client named content in /tmp
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_filetrans_tmp',`
gen_require(`
type insights_client_tmp_t;
')
files_tmp_filetrans($1, insights_client_tmp_t, dir, "insights-client")
files_tmp_filetrans($1, insights_client_tmp_t, file, "insights-client.ppid")
')
########################################
##
## Transition to insights_client named content in /var/run
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_filetrans_run',`
gen_require(`
type insights_client_var_run_t;
')
files_pid_filetrans($1, insights_client_var_run_t, file, "insights-client.pid")
')
########################################
##
## Read insights_client config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_read_config',`
gen_require(`
type insights_client_etc_t, insights_client_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, insights_client_etc_t, insights_client_etc_t)
read_files_pattern($1, insights_client_etc_rw_t, insights_client_etc_rw_t)
')
########################################
##
## Read insights_client lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_read_lib_files',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
allow $1 insights_client_var_lib_t:file map;
')
########################################
##
## Manage insights_client lib directories..
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_manage_lib_dirs',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
')
########################################
##
## Watch insights_client lib directories..
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_watch_lib_dirs',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
watch_dirs_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
')
########################################
##
## Manage insights_client lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_manage_lib_files',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
allow $1 insights_client_var_lib_t:file map;
')
########################################
##
## Write to insights_client lib socket files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_write_lib_sock_files',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
write_sock_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
')
########################################
##
## Manage insights_client lib socket files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_manage_lib_sock_files',`
gen_require(`
type insights_client_var_lib_t;
')
files_search_var_lib($1)
manage_sock_files_pattern($1, insights_client_var_lib_t, insights_client_var_lib_t)
')
########################################
##
## Read insights_client temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_read_tmp',`
gen_require(`
type insights_client_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t)
')
########################################
##
## Write/append insights_client temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`insights_client_write_tmp',`
gen_require(`
type insights_client_tmp_t;
')
files_search_tmp($1)
write_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t)
')