Add SELinux default policy
Resolves: RHEL-24050
This commit is contained in:
Felix Kolwa
parent
ec6742f755
commit
2126cc1b87
@ -12,17 +12,19 @@ Collector with the supported components for a Red Hat build of OpenTelemetry}
|
||||
%global godocs README.md
|
||||
|
||||
Name: opentelemetry-collector
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Red Hat build of OpenTelemetry
|
||||
|
||||
License: Apache-2.0
|
||||
|
||||
Source0: %{name}-%{version}.tar.gz
|
||||
Source1: otel_collector_journald.te
|
||||
|
||||
BuildRequires: systemd
|
||||
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
|
||||
BuildRequires: binutils
|
||||
BuildRequires: git
|
||||
BuildRequires: policycoreutils, checkpolicy, selinux-policy-devel
|
||||
|
||||
Requires(pre): /usr/sbin/useradd, /usr/bin/getent
|
||||
Requires(postun): /usr/sbin/userdel
|
||||
@ -38,17 +40,23 @@ mkdir -p _build/bin
|
||||
|
||||
%build
|
||||
|
||||
# Compile the SELinux policy module
|
||||
checkmodule -M -m -o otel_collector_journald.mod %{SOURCE1}
|
||||
semodule_package -o otel_collector_journald.pp -m otel_collector_journald.mod
|
||||
|
||||
go build -ldflags "-s -w" -v -buildmode pie -mod vendor -o %{gobuilddir}/bin/opentelemetry-collector
|
||||
|
||||
%define debug_package %{nil}
|
||||
|
||||
%install
|
||||
# create expected directory layout
|
||||
mkdir -p %{buildroot}%{_datadir}/selinux/packages
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/opentelemetry-collector
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/opentelemetry-collector/configs
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
|
||||
# install files
|
||||
install -m 0644 ./otel_collector_journald.pp %{buildroot}%{_datadir}/selinux/packages/otel_collector_journald.pp
|
||||
install -p -m 0644 ./00-default-receivers.yaml %{buildroot}%{_sysconfdir}/opentelemetry-collector/configs/00-default-receivers.yaml
|
||||
install -p -m 0644 ./opentelemetry-collector.service %{buildroot}%{_unitdir}/%{name}.service
|
||||
|
||||
@ -64,12 +72,15 @@ install -m 0755 -p ./opentelemetry-collector-with-options %{buildroot}%{_bindir}
|
||||
/usr/sbin/userdel observability
|
||||
|
||||
%post
|
||||
semodule -i %{_datadir}/selinux/packages/otel_collector_journald.pp
|
||||
restorecon -v %{_bindir}/opentelemetry-collector
|
||||
/bin/systemctl --system daemon-reload 2>&1
|
||||
|
||||
%preun
|
||||
if [ $1 -eq 0 ]; then
|
||||
/bin/systemctl --quiet stop %{name}.service
|
||||
/bin/systemctl --quiet disable %{name}.service
|
||||
semodule -r otel_collector_journald
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
@ -84,12 +95,16 @@ fi
|
||||
%files
|
||||
%{_unitdir}/%{name}.service
|
||||
%{_sysconfdir}/opentelemetry-collector/configs/00-default-receivers.yaml
|
||||
%{_datadir}/selinux/packages/otel_collector_journald.pp
|
||||
|
||||
%license %{golicenses}
|
||||
%doc %{godocs}
|
||||
%{_bindir}/*
|
||||
|
||||
%changelog
|
||||
* Wed Aug 01 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-3
|
||||
- Add default selinux policy for journald receiver
|
||||
- Bump revision
|
||||
* Wed Jul 24 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-2
|
||||
- spec: strip go binary
|
||||
* Tue Jul 16 2024 Benedikt Bongartz <bongartz@redhat.com> - 0.102.1-1
|
||||
|
||||
42
otel_collector_journald.te
Normal file
42
otel_collector_journald.te
Normal file
@ -0,0 +1,42 @@
|
||||
module otel_collector_journald 1.0;
|
||||
|
||||
require {
|
||||
type journalctl_t;
|
||||
type syslogd_t;
|
||||
type usr_t;
|
||||
class file { read open execute };
|
||||
class dir { search open };
|
||||
class service status;
|
||||
class process transition;
|
||||
class tcp_socket { read write connect create getattr setattr };
|
||||
class udp_socket { read write connect create getattr setattr };
|
||||
}
|
||||
|
||||
# Define the new type for the OpenTelemetry Collector process
|
||||
type otel_collector_t;
|
||||
type otel_collector_exec_t;
|
||||
|
||||
# Allow the execution of the collector binary with the correct label
|
||||
allow usr_t otel_collector_exec_t:file { read execute open };
|
||||
allow otel_collector_t otel_collector_exec_t:file { read execute open };
|
||||
|
||||
# Allow the transition from usr_t to otel_collector_t
|
||||
type_transition usr_t otel_collector_exec_t:process otel_collector_t;
|
||||
|
||||
# Allow otel_collector_t to read journald logs
|
||||
allow otel_collector_t journalctl_t:file { read open };
|
||||
|
||||
# Allow otel_collector_t to search and open directories of journald logs
|
||||
allow otel_collector_t journalctl_t:dir { search open };
|
||||
|
||||
# Allow otel_collector_t to get the status of journald
|
||||
allow otel_collector_t journalctl_t:service status;
|
||||
|
||||
# Allow otel_collector_t to get the status of syslogd
|
||||
allow otel_collector_t syslogd_t:service status;
|
||||
|
||||
# Allow otel_collector_t to create and use TCP sockets
|
||||
allow otel_collector_t self:tcp_socket { read write connect create getattr setattr };
|
||||
|
||||
# Allow otel_collector_t to create and use UDP sockets
|
||||
allow otel_collector_t self:udp_socket { read write connect create getattr setattr };
|
||||
Loading…
Reference in New Issue
Block a user