Fix avc denials but pcp plugin still not working

Author: sfeifer

grafana.fc

@@ -15,6 +15,8 @@
 
 #/var/lib/grafana/plugins(/.*)?					gen_context(system_u:object_r:grafana_plugin_t,s0)
 
+/var/lib/grafana/plugins/performancecopilot-pcp-app				--	gen_context(system_u:object_r:grafana_pcp_plugin_exec_t,s0)
+
 /usr/share/grafana/bin/grafana				--	gen_context(system_u:object_r:grafana_exec_t,s0)
 /usr/share/grafana/bin/grafana-cli			--	gen_context(system_u:object_r:grafana_exec_t,s0)
 /usr/share/grafana/bin/grafana-server			--	gen_context(system_u:object_r:grafana_exec_t,s0)

grafana.if

@@ -139,3 +139,55 @@ interface(`grafana_admin',`
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
+
+########################################
+## <summary>
+## Execute the grafana unconfined plugins with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`grafana_domtrans_unconfined_plugins',`
+   gen_require(`
+        type grafana_unconfined_plugin_t;
+        type grafana_unconfined_plugin_exec_t;
+   ')
+
+    domtrans_pattern($1, grafana_unconfined_plugin_exec_t, grafana_unconfined_plugin_t)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	grafana plugins,
+## </summary>
+## <param name="plugins_group_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`grafana_plugin_template',`
+	gen_require(`
+		attribute grafana_plugin_domain;
+		type grafana_t;
+	')
+
+	type grafana_$1_plugin_t, grafana_plugin_domain;
+	type grafana_$1_plugin_exec_t;
+	application_domain(grafana_$1_plugin_t, grafana_$1_plugin_exec_t)
+	role system_r types grafana_$1_plugin_t;
+
+	domtrans_pattern(grafana_t, grafana_$1_plugin_exec_t, grafana_$1_plugin_t)
+	allow grafana_t grafana_$1_plugin_exec_t:file ioctl; 
+
+	# needed by command.cfg
+	domtrans_pattern(grafana_t, grafana_$1_plugin_exec_t, grafana_$1_plugin_t)
+
+	kernel_read_system_state(grafana_$1_plugin_t)
+
+')

grafana.te

@@ -34,6 +34,7 @@ gen_tunable(grafana_can_tcp_connect_mysql_port, false)
 ## </desc>
 gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
 
+attribute grafana_plugin_domain;
 
 type grafana_t;
 type grafana_exec_t;
@@ -67,6 +68,27 @@ files_type(grafana_var_lib_t)
 type grafana_port_t;
 corenet_port(grafana_port_t)
 
+grafana_plugin_template(pcp)
+
+######################################
+#
+# Common plugin domain local policy
+#
+
+allow grafana_plugin_domain self:fifo_file rw_fifo_file_perms;
+   
+allow grafana_t grafana_plugin_domain:process signal_perms;
+allow grafana_plugin_domain grafana_t:process signal_perms;
+
+corecmd_exec_bin(grafana_plugin_domain)
+
+dev_read_urand(grafana_plugin_domain)
+dev_read_rand(grafana_plugin_domain)
+dev_read_sysfs(grafana_plugin_domain)
+
+userdom_use_inherited_user_ptys(grafana_plugin_domain)
+userdom_use_inherited_user_ttys(grafana_plugin_domain)
+
 ########################################
 #
 # grafana local policy
@@ -77,6 +99,14 @@ allow grafana_t self:unix_dgram_socket create_socket_perms;
 
 allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
 
+#allow grafana_t grafana_exec_t:file execute_no_trans;
+allow grafana_t self:unix_stream_socket connectto;
+
+allow grafana_t grafana_var_lib_t:file { execute execute_no_trans };
+allow grafana_t grafana_var_lib_t:file map;
+
+allow init_t grafana_tmp_t:sock_file unlink;
+
 manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
 manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)