Policy working with pcp plugin

Author: sfeifer

README.md

@@ -36,6 +36,7 @@ restorecon -RvF /usr/sbin/grafana-* \
 		/etc/grafana \
 		/var/log/grafana \
 		/var/lib/grafana \
+		/usr/share/performancecopilot-pcp-app \
 		/usr/share/grafana/bin
 
 # Start grafana
@@ -68,6 +69,16 @@ ausearch -m avc,user_avc,selinux_err -ts recent | audit2allow -R
 If you get a could not open interface info [/var/lib/sepolgen/interface_info] error. 
 Ensure policycoreutils-devel is installed and/or run: `sepolgen-ifgen`
 
+## Removing the policy
+
+* To remove the policy, the added port must first be removed
+```sh
+sudo semanage port -d -p tcp 3000
+```
+* Now, to remove the policy run
+```sh
+sudo semodule -r grafana
+```
 ## Compatibility Notes
 Built on CentOS Stream 9 at the time with:
 ```

grafana.fc

@@ -15,8 +15,9 @@
 
 #/var/lib/grafana/plugins(/.*)?					gen_context(system_u:object_r:grafana_plugin_t,s0)
 
-/var/lib/grafana/plugins/performancecopilot-pcp-app				--	gen_context(system_u:object_r:grafana_pcp_plugin_exec_t,s0)
-
 /usr/share/grafana/bin/grafana				--	gen_context(system_u:object_r:grafana_exec_t,s0)
 /usr/share/grafana/bin/grafana-cli			--	gen_context(system_u:object_r:grafana_exec_t,s0)
 /usr/share/grafana/bin/grafana-server			--	gen_context(system_u:object_r:grafana_exec_t,s0)
+
+#define context for pcp plugin
+/usr/share/performancecopilot-pcp-app/datasources/redis/pcp_redis_datasource_(.*)           -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)

grafana.if

@@ -139,55 +139,3 @@ interface(`grafana_admin',`
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
-
-########################################
-## <summary>
-## Execute the grafana unconfined plugins with
-## a domain transition.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`grafana_domtrans_unconfined_plugins',`
-   gen_require(`
-        type grafana_unconfined_plugin_t;
-        type grafana_unconfined_plugin_exec_t;
-   ')
-
-    domtrans_pattern($1, grafana_unconfined_plugin_exec_t, grafana_unconfined_plugin_t)
-')
-
-########################################
-## <summary>
-##	Create a set of derived types for various
-##	grafana plugins,
-## </summary>
-## <param name="plugins_group_name">
-##	<summary>
-##	The name to be used for deriving type names.
-##	</summary>
-## </param>
-#
-template(`grafana_plugin_template',`
-	gen_require(`
-		attribute grafana_plugin_domain;
-		type grafana_t;
-	')
-
-	type grafana_$1_plugin_t, grafana_plugin_domain;
-	type grafana_$1_plugin_exec_t;
-	application_domain(grafana_$1_plugin_t, grafana_$1_plugin_exec_t)
-	role system_r types grafana_$1_plugin_t;
-
-	domtrans_pattern(grafana_t, grafana_$1_plugin_exec_t, grafana_$1_plugin_t)
-	allow grafana_t grafana_$1_plugin_exec_t:file ioctl; 
-
-	# needed by command.cfg
-	domtrans_pattern(grafana_t, grafana_$1_plugin_exec_t, grafana_$1_plugin_t)
-
-	kernel_read_system_state(grafana_$1_plugin_t)
-
-')

grafana.te

@@ -34,7 +34,6 @@ gen_tunable(grafana_can_tcp_connect_mysql_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
 
-attribute grafana_plugin_domain;
 
 type grafana_t;
 type grafana_exec_t;
@@ -68,26 +67,13 @@ files_type(grafana_var_lib_t)
 type grafana_port_t;
 corenet_port(grafana_port_t)
 
-grafana_plugin_template(pcp)
+type grafana_pcp_exec_t;
+corecmd_executable_file(grafana_pcp_exec_t)
+can_exec(grafana_t, grafana_pcp_exec_t)
 
-######################################
-#
-# Common plugin domain local policy
-#
-
-allow grafana_plugin_domain self:fifo_file rw_fifo_file_perms;
-   
-allow grafana_t grafana_plugin_domain:process signal_perms;
-allow grafana_plugin_domain grafana_t:process signal_perms;
-
-corecmd_exec_bin(grafana_plugin_domain)
-
-dev_read_urand(grafana_plugin_domain)
-dev_read_rand(grafana_plugin_domain)
-dev_read_sysfs(grafana_plugin_domain)
-
-userdom_use_inherited_user_ptys(grafana_plugin_domain)
-userdom_use_inherited_user_ttys(grafana_plugin_domain)
+# Ports 32768-60999 (pcp port is 44322)
+corenet_tcp_connect_all_ephemeral_ports(grafana_t)
+grafana_exec(grafana_t)
 
 ########################################
 #
@@ -99,12 +85,8 @@ allow grafana_t self:unix_dgram_socket create_socket_perms;
 
 allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
 
-#allow grafana_t grafana_exec_t:file execute_no_trans;
 allow grafana_t self:unix_stream_socket connectto;
 
-allow grafana_t grafana_var_lib_t:file { execute execute_no_trans };
-allow grafana_t grafana_var_lib_t:file map;
-
 allow init_t grafana_tmp_t:sock_file unlink;
 
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)