Merge pull request #108 from jpichon/os-ceilometer

Allow ceilometer_polling_t to run as a container and poll necessary data
redhat-openstack · Feb 19, 2024 · f618d90 · f618d90
2 parents 9856d9b + 99cb2d2
commit f618d90
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -13,7 +13,7 @@ EXTRA_TARGETS?=os-ovs-el9
 endif # version 9
 endif # RHEL clones
 
-TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster $(EXTRA_TARGETS)
+TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-barbican os-logrotate os-certmonger os-timemaster os-ceilometer $(EXTRA_TARGETS)
 MODULES?=${TARGETS:=.pp.bz2}
 DATADIR?=/usr/share
 LOCALDIR?=/usr/share/openstack-selinux/master

diff --git a/os-ceilometer.te b/os-ceilometer.te
@@ -0,0 +1,23 @@
+policy_module(os-ceilometer, 1.0.0)
+
+gen_require(`
+  attribute container_net_domain;
+  type ceilometer_polling_t;
+  type container_file_t;
+  type proc_t;
+  type virt_var_run_t;
+  type virtd_t;
+')
+
+# Get ceilometer_polling_t to work as a container
+container_domain_template(ceilometer_polling, container)
+container_runtime_domtrans(ceilometer_polling_t)
+typeattribute ceilometer_polling_t container_net_domain;
+
+logging_send_audit_msgs(ceilometer_polling_t)
+logging_send_syslog_msg(ceilometer_polling_t)
+
+# OSPRH-3373
+allow ceilometer_polling_t proc_t:filesystem associate;
+allow ceilometer_polling_t virt_var_run_t:sock_file write;
+allow ceilometer_polling_t virtd_t:unix_stream_socket connectto;
diff --git a/tests/osprh3373 b/tests/osprh3373
@@ -0,0 +1,3 @@
+type=AVC msg=audit(1707395260.099:18787): avc:  denied  { associate } for  pid=74475 comm="ceilometer-poll" name="1" scontext=system_u:object_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
+type=AVC msg=audit(1707395260.231:18790): avc:  denied  { write } for  pid=74485 comm="ceilometer-poll" name="virtqemud-sock-ro" dev="tmpfs" ino=1703 scontext=system_u:system_r:ceilometer_polling_t:s0:c24,c595 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1
+type=AVC msg=audit(1707478033.374:19852): avc:  denied  { connectto } for  pid=86771 comm="ceilometer-poll" path="/run/libvirt/virtqemud-sock-ro" scontext=system_u:system_r:ceilometer_polling_t:s0:c322,c751 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1