Fix SELinux policy resource names (#101)

Use sources for SELinux resources in spec file Bump revision Signed-off-by: Felix Kolwa <fkolwa@redhat.com>
os-observability · Sep 12, 2024 · d5765f0 · d5765f0
1 parent 73af632
commit d5765f0
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 21 deletions.
diff --git a/opentelemetry-collector.spec.in b/opentelemetry-collector.spec.in
@@ -12,12 +12,13 @@ Collector with the supported components for a Red Hat build of OpenTelemetry}
 %global godocs        README.md
 
 Name:           %%PROJECT%%
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Red Hat build of OpenTelemetry
 
 License:        Apache-2.0
 
 Source0:        %{name}-%{version}.tar.gz
+Source1:        otel_collector_journald.te
 
 BuildRequires: systemd
 BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
@@ -40,7 +41,7 @@ mkdir -p _build/bin
 %build
 
 # Compile the SELinux policy module
-checkmodule -M -m -o otel_collector_journald.mod otel_collector_journald.te
+checkmodule -M -m -o otel_collector_journald.mod %{SOURCE1}
 semodule_package -o otel_collector_journald.pp -m otel_collector_journald.mod
 
 go build -ldflags "-s -w" -v -buildmode pie -mod vendor -o %{gobuilddir}/bin/opentelemetry-collector
@@ -55,9 +56,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/opentelemetry-collector/configs
 mkdir -p %{buildroot}%{_unitdir}
 
 # install files
-
 install -m 0644 ./otel_collector_journald.pp %{buildroot}%{_datadir}/selinux/packages/otel_collector_journald.pp
-
 install -p -m 0644  ./00-default-receivers.yaml %{buildroot}%{_sysconfdir}/opentelemetry-collector/configs/00-default-receivers.yaml
 install -p -m 0644  ./opentelemetry-collector.service %{buildroot}%{_unitdir}/%{name}.service
 
@@ -103,12 +102,20 @@ fi
 %{_bindir}/*
 
 %changelog
-* Mon Aug 19 2024 Pavol Loffay <ploffay@redhat.com> - 0.107.0
+* Thu Sep 12 2024 Felix Kolwa <fkolwa@redhat.com> - 0.107.0-2
+- Fix SELinux policy resource names
+- Use sources for SELinux resources in spec file
+- Bump revision
+* Mon Aug 19 2024 Pavol Loffay <ploffay@redhat.com> - 0.107.0-1
 - Added support for aarch64
-* Mon Aug 5 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1
-- add default SELinux polices
-- Grant access to journal logs
-- Grant access to UDP/TCP network sockets 
+* Thu Aug 01 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-3
+- Add default selinux policy for journald receiver
+- Bump revision
+* Wed Jul 24 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-2
+- spec: strip go binary
+* Tue Jul 16 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-1
+- rpm: trim date (#89) (Ben B)
+- Add transform processor (#88) (Ruben Vargas)
 * Fri Jun 28 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1
 - move microshift specifics into another rpm
 - bump collector version to 0.102.0

diff --git a/otel_collector_journald.te b/otel_collector_journald.te
@@ -1,11 +1,9 @@
 module otel_collector_journald 1.0;
 
 require {
-    type journalctl_exec_t;
-    type journald_log_t;
-    type journald_t;
+    type journalctl_t;
     type syslogd_t;
-    type usr_bin_t;
+    type usr_t;
     class file { read open execute };
     class dir { search open };
     class service status;
@@ -19,20 +17,20 @@ type otel_collector_t;
 type otel_collector_exec_t;
 
 # Allow the execution of the collector binary with the correct label
-allow usr_bin_t otel_collector_exec_t:file { read execute open };
+allow usr_t otel_collector_exec_t:file { read execute open };
 allow otel_collector_t otel_collector_exec_t:file { read execute open };
 
-# Allow the transition from usr_bin_t to otel_collector_t
-type_transition usr_bin_t otel_collector_exec_t:process otel_collector_t;
+# Allow the transition from usr_t to otel_collector_t
+type_transition usr_t otel_collector_exec_t:process otel_collector_t;
 
 # Allow otel_collector_t to read journald logs
-allow otel_collector_t journald_log_t:file { read open };
+allow otel_collector_t journalctl_t:file { read open };
 
 # Allow otel_collector_t to search and open directories of journald logs
-allow otel_collector_t journald_log_t:dir { search open };
+allow otel_collector_t journalctl_t:dir { search open };
 
 # Allow otel_collector_t to get the status of journald
-allow otel_collector_t journald_t:service status;
+allow otel_collector_t journalctl_t:service status;
 
 # Allow otel_collector_t to get the status of syslogd
 allow otel_collector_t syslogd_t:service status;
@@ -41,5 +39,4 @@ allow otel_collector_t syslogd_t:service status;
 allow otel_collector_t self:tcp_socket { read write connect create getattr setattr };
 
 # Allow otel_collector_t to create and use UDP sockets
-allow otel_collector_t self:udp_socket { read write connect create getattr setattr };
-
+allow otel_collector_t self:udp_socket { read write connect create getattr setattr };