From 41028c517e12b04f5346b68ac080c736794bcd53 Mon Sep 17 00:00:00 2001
From: dhurley <djhurley1990@gmail.com>
Date: Thu, 29 Sep 2022 14:55:40 +0100
Subject: [PATCH] Updated selinux policy to remove container_runtime_t module
 and add new permissions

---
 scripts/selinux/nginx_agent.pp | Bin 149697 -> 164471 bytes
 scripts/selinux/nginx_agent.te |  31 ++++++++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/scripts/selinux/nginx_agent.pp b/scripts/selinux/nginx_agent.pp
index 2be1430cabff54b12bf15b317582a833b767417c..b946eadb05e70094a6d22c1bec10377d2bced937 100644
GIT binary patch
delta 4849
zcmeHLdr(y875Bihh%9kI9*eu|E{#!=QnQ)(K!W9Be4r4si7{d{*+mxPs(}?3J2s$;
z;tP4G$Kj;Wv}?zisx5UD>sG}K{L?Uf1x!q0v`QXGG?H0uR7kA$eBTDe#-W`~|L7m=
z%$@z+^PPL%-#OpCE!!h*Rt}4)yHnN+Lxv0q;VYJ}KR6G?{HZL;#ZX+4e5o+2R*zxj
z8F+P#0o$t753R~Cv6Yk-+1wBDavrWIp92p3WSs$h)hg^PKLhC)y*?Q`)<i=Nuj(;s
z?G$*0Ig)AhY0zTD+9Jei14epAfDK!!$KZ625uV09n+;gu84pXvLy-l}#Vc*@a8{8f
zh4gqVkReb+AAJTtk*s!yF-x{&sjG+pr$k38=E5?G9$7aJUY0Jru`W7H%e<Lv$tN&Z
zuAW~%EG(L7F1FYdV=KrnSW;+n6_>beZsGfAK}JpGL|85zv{%l8iTDKD{!XP9?AWr^
zfErJP+O1>eIn44fj@}RplLX6-bt+u2p$UqGqPUWxR~@#}BB$H7*txvW<`#x5mNG@q
z(l%zoe7<{(zB&UDVM5wMDeb+Du`q?DC510{7OY<8bYpwv4{+?JELb4d%W9&~yQvs0
z)uSR_%U|g(EMd`@?=fL+_0TAnvtU`N%jOmyJ}+{j>1RPS{&lknn>NQ`%q9bNZyt_W
z<p$Jkc^<N4Xf|#chanpb_`#N`@RX!XsCojd0!0=SiU^6^OqVPBtMXvBL`hpCp-A#b
zkKJnKnI`?TSE@qXYHTSVg~eMRgYklCsJpbN&|zb;xz2>=w!VNXD-3M<40u&O<E!2W
zFMa3ekKs94R_AIWU>wtuF}!vXyvV7o0YwNKR<NX`xM($ti$bN+BuZ5iOsHGKR!m?X
zgSKSFqWtCgMFpIK2qsQuK}MWX_aw}dB1CB~cP`>Zyj^8#JYF|3i;gA09O^g$(KzYU
z7%Xd_PjC64fOh-9EJVm(cVqskv%}HyxdA;_viW~04*TpV2ClWD<x>qRfu;EI<&oIY
znS%!}#i4RB8y9|)hugkPk^H;A%%g1@NNs$-D+ch7e~(A=XS4ag5a-=`4z)KN^>vVn
z&7aP~S(iqVcQ~Z6*jDu3jKZipW6*cei>}KCbX|9#{n9ho+ns>cQ>sQ^_qGt+ciSMP
z9S9WS4==_E272@a%t8Cr6uy~_Z+?Ch&D|q#S8qPP(W{fR^lS0_|11u_x(Kg-ogf9=
z__~#yh?fR0>|BNkJ#j({dT-?5rW=VnE;-QBGZbAnC$mv{VGMN~0u841?2?MD*Bnd~
zGUL$K`x_35fpz58tHDSI;$b>@bih7z+0k`gh5Noe$QlwGUANLg(At$3boR2IAJH_9
zyJH1*ERPg`6k!B4X&~Eg1$ZGu$n`geLMhOEBk0-OnF5$NeA%okpBl7aB99t^!7Mw@
z!Q?>F&%!`Y)-Z7SkAy>_ifY37Ve>~B<OzpS{%j3A6^dOK66>{)Ll=@kfCg;1sYm5o
zhcLl!i3SLzzeKXCK>IZ6ejFU)PETzXm>IlncoY`<$HYU9ie8BWqu&|}9|FC*2Np?n
zq&yA{LF9|&XV_9b^&t~Adts_yA=m-*_IUQ;H8V`3*=86icxFlDw<N<VxSwdEzm5Ms
zqieTd9Q!&PCwn@S&`;NL8oY0DCl9nwr`pkAMEe<5=Yi|+J>wRDmpr2(#ow`B#94%@
zpY4_<&|1H#&y#yT3AzYI4&AASI5MY$BBYei&-b$ro&&t_i~W#9SE^u!K#6y0iR9ZF
zT<uQ_JP8kzZ7hrORl~D)Q7S1lu#?&vgk(KSW|gyo$X?4M#Pvmr-#Y=8h0?oKtgU$q
zr1cAd%fiYd(^<LiN34>Ok;+$cb>2ry<QhFlrc7q*c!Z_bPUd8D&|V~MCZv*m5@eG(
z6Li!}kSowTvUU`{`9hFA+wUR+C;A^gNX9jtGiY@d*n{CTM}o@VlLa3PCR>)mK*`=q
z_Tyk6Zze~bk&Zae++aJ+T+36r(VE2)gH8i^406RlfjZ8BG9PqkJ)1+t>D<xf7O)f8
z{gyPa0JWJp?SngwYkZ*K%bn&X*Fh+w=HGHqw;kp-9%#=NKv(~}Acad_6nf2J?i3>Q
z^@q5@jJ^CcH7HEsIgvrGRj}e-?H~QgVCl<#IB@j;m!)ssF80sLzV;-M;^zF_M=Prr
zUF-onN7)Jc|8*3|J|}pC9Zw>j89Y=ELkcN-A$xG3^$os(6aC+9Gcq6H!StY!)3@((
z$)|97e8(P~)c?FDGN^e^-v+)n^9L>f^Y2;fz$Qw=q={`!%q&rdnk&ez;z8SS9A@IN
zTfy@=C7px>Qcl1#0+~qL#K#^+dU7>!?~zCx_kxG{W497S-^r!GiN5lbs4W3<{mn+G
z9UQ#>cJKy^67#OhJ}>^|2*93h9f{7tAUKvKMN9y^-Yo|}PKd`t?R-`y>#zCMzw1I0
z{`qtoc@@w;s9dqTjZeZ{quBfvzoFb#lTi(7;*)y4|7{~|8_d=JMXvZ%yaWRux6+jn
z{8kk>yOVad@&})e_qF`Ksv`SIn5()oWQc;>PwOeQg%4lm(^0?bJqhvr+V#zQ@Omhn
zI0M7zmmk8LBg9vWC2qH?-&Yy3o`-n<)Q?~RsKoaLdigBq{JYM;%+OH2_qU&emqLa|
QefOXv_@qDS0_=7E6BS(%Y5)KL

delta 4005
zcmeHKdr*|u73VB04`E@EH~X!NI>w|Cv(2c8f{G6y0;0hOJ~zNZ+?Yj>#fgoJU@!(`
zS<(|dO{S>RNoL3-7#wQ8Xxy00n9Q^tw8W;>X6&>LR3%vvlL?v$+H>!RI?{H={MCQl
znQ!-Z&;8wV&*PqRza4HI_sOea<Gr_c-h_aF03AQE{1~lA$Nyoc!O2iO;rs+)bh8Qd
z?hGivti1}}Zq`R`FWF|>R$FOvMKWP6R=bPvH~S`Hzxx8ry+gvk*F|HNTS3FFg<wP2
zGZCwI)q#WACJe8SfoE883|7@e;Jo@rV6l|f*Uy420)>}3Dr#)55Z0eAXKvJ6@lCIy
zmr|^1u!KHa?sDz0x%Al3VnJ_17(9nZ+Y~(3uoANx6`Znr4Q!IO|7v%%K86*|5Q<{U
zwpO}I9F^tL1DC^DZgUyY;<aE`Ybf^a{s>mf{oZ+LoL;#9i1a6<aSk}y2L(4ZE``~W
zak?=YN+b%e9~bOOWb#U;q`@31yxpM3wR=v&vvOJK%Zp$gqsjDKjLxVR<c(s8fAoZ4
z=w1Wb>lI_w*5@5%JGMAnHka7Cl(*gh8%Ajcvc&3w@lSglI8>+L;g(Q?v!uqwez=TG
zULrRY(ke&Umf9+tE1IQ6ce8Qol_)&T*%){w4$36g)D#8FB+71j8W!RwO&0v1$qK8a
zEU0-gWJqLh{yD4=D7>tE8=EF_k|SsS(p(IM66Ng+hiu{KxSGv&n=6<p6=H~|_DzRb
zk`mSu4)Z0lwycDu5*=>Ifz6T^<mrI*qn^%#r|+6=Z4HB&ET4$$Thn2U%x72YHpr6e
z=Xt~Q5xiF#j}+YRjl$R#1wZ!A!YUrWw?`l5D7Cr5n6X^&yXUs0WzoQSNFZky<kOY&
zkcj?X2mZO&LIuejgRQ-jMC9dXy)FRTE@ffUxs>iD=U#}yRbMNZdNl(_{uRNv7@hs&
zaqz2nmKEUDuZpDH_s=u9=DH?ZeZ7dxUU*az&J3H-d?gQCZp7iu{#<-)pja+2e`81U
zHwrqh7tk3an7Tce#sh{7Ybt_ASM~MBVNYK!etJtYq4R44es*grZoIq@cl9S@=fGkN
zyL87qJMuhL7&%`4K{3!wi2Tvsz0CiPjy48@pcYUiKmzW#R*09sEydQM1ZipOP&p3X
zu=5koRu$q0eQ{F$eqWJv`Osw{xAU_M-}_Fp^T>C<!?V(6Ej*76$PKXKN&>F>z7U1|
zB20DtCTc$lON4PIDT(}1N<!(aNLY?pH}cpPjeGENIa<CI`t#}H1kO~?&0O-Wg%pls
zZnygf1l)XO1)CI2m1*pUbVz_5*K#Sdf?af8&&T$W)B7`_n1e8*+kb002<Iy(1R(jC
z4-V_3Le(7z)j-)H(xwa<JswQO%pW$9DG(NtKL`|>8O-&<(Wdrb_F($YU?N57VUa*4
z&Q65t41uH|S{4fydMlhMj1p9cfVqK`avqZCcogJO$}cq3Nk`1Qj`OZ^-jzUVO$G~k
zdb3q;GQ0}(S~2s?MhJO79v%;(FK0rsIJHYPl)2~*x;W_$x+n9!26oDv22TkSOvJ-Z
zf$VfOh>bpLW}_LI)YJ*^SD>>gtlDp7HHX@vPIbNx+d;q+WS9ai<e3Lc)xpUy4d{tO
zFoFDa@C=y`!Vx;v#469$!2~uthYr6CB{J@+XDVEPv0Jxxz%KRmm!S4PW~R^Jg6x?K
zg=C!pahN$2N}dGBp%ev5$7;EsOXeXcJn$r#$(_y%+B(>t)9E5^RUBzXW->p?6ZgrI
z$gxkGy~j(U)OTSrZD`{C3oaP>MhYeOyO4IDL>;MyWFYSgoZnU}=a*43xxe5(dG`=H
zzs#fO)7SzIZ9X~EAW_6GUuCpLN7v@?%*Avqbmg#sR-{51|3p{HpV84!1C*)t8Spso
z)d8z1bw2kHR*b(MNm5x`3~0y6d<-(^;yN%=&jQZN;C{#!C{fG&Ess`VG-o^KOPm9>
zGwWfx<*|66bQ7n$L&Wz{>MZ7D`qy!2IoqOlE20zyNFk4v-(7@+>rI<_+skZ2Ewc@6
zTB=v8{sVCEVWr7Be85UmfC_#IJ4M9v$z8+Ily~+>C(C4O+jN9mn~Zh4hi?bInYCiz
zks>ac*|I9{o&ICnAD;gI%jqwtm0jG4{re%8R&{ZU<}XDK@rz3e`F_iFBf)$o++R23
zUjfx)?|{G6a08awB$@A&4Dxq!nU4G(a@C$R$Or0qk(=JbJMDq)v<I&=JpOr#d{L&Y
zwUF{(ZyfXRQzWh)avUGq1%JXhnEjIzpFtxZLNuQETzixMp9X4n$sXZ3$>&Y$7Qrx^
zoF|}`B2UUU$qe%NU>X_pe9OP#<BL?dCBW!%AGf0(>EKCFK!+dgw2<$6*cfC92v~rX
z=S*t)FieRDr)o3kUJQ&Ce?Q0m@uVkWbV<}_)V-k|iq@5ZIw?lCBv5t7>vDAJKN58Z
G9RCJWe9w*m

diff --git a/scripts/selinux/nginx_agent.te b/scripts/selinux/nginx_agent.te
index f5d90abd9..f0b1af5b8 100644
--- a/scripts/selinux/nginx_agent.te
+++ b/scripts/selinux/nginx_agent.te
@@ -63,7 +63,6 @@ require {
 	type auditd_t;
 	type sysfs_t;
 	type unconfined_service_t;
-	type container_runtime_t;
 	type system_dbusd_t;
 	type tuned_t;
 	type irqbalance_t;
@@ -108,8 +107,6 @@ allow nginx_agent_t auditd_t:dir { getattr search };
 allow nginx_agent_t auditd_t:file { getattr open read };
 allow nginx_agent_t chronyd_t:dir { getattr search };
 allow nginx_agent_t chronyd_t:file { getattr open read };
-allow nginx_agent_t container_runtime_t:dir { getattr search };
-allow nginx_agent_t container_runtime_t:file { getattr open read };
 allow nginx_agent_t crond_t:dir { getattr search };
 allow nginx_agent_t dhcpc_t:file { getattr open read };
 allow nginx_agent_t fs_t:filesystem getattr;
@@ -383,3 +380,31 @@ require {
 
 #============= nginx_agent_t ==============
 allow nginx_agent_t rpm_t:file read;
+
+require {
+	type nginx_agent_t;
+}
+
+#============= nginx_agent_t ==============
+apache_list_cache(nginx_agent_t)
+rng_systemctl_rngd(nginx_agent_t)
+userdom_manage_user_home_content_dirs(nginx_agent_t)
+
+require {
+	type rpm_t;
+	type nginx_agent_t;
+	class file open;
+}
+
+#============= nginx_agent_t ==============
+allow nginx_agent_t rpm_t:file open;
+corenet_tcp_bind_http_cache_port(nginx_agent_t)
+rng_systemctl_rngd(nginx_agent_t)
+userdom_manage_user_home_content_dirs(nginx_agent_t)
+
+require {
+	type nginx_agent_t;
+}
+
+#============= nginx_agent_t ==============
+files_rw_etc_files(nginx_agent_t)