Update selinux policy

Author: dhurley

scripts/selinux/nginx_agent.pp

@@ -65,6 +65,9 @@ require {
 	type fixed_disk_device_t;
 	type nvme_device_t;
 	type udev_var_run_t;
+	type httpd_var_lib_t;
+	type unconfined_t;
+	type unreserved_port_t;
 }
 
 allow nginx_agent_t bin_t:file { execute execute_no_trans };
@@ -101,7 +104,7 @@ allow nginx_agent_t httpd_config_t:file { getattr open read };
 #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
 allow nginx_agent_t httpd_exec_t:file map;
 allow nginx_agent_t httpd_exec_t:file { execute execute_no_trans getattr open read };
-allow nginx_agent_t httpd_log_t:dir { getattr open read search };
+allow nginx_agent_t httpd_log_t:dir { watch getattr open read search };
 allow nginx_agent_t passwd_file_t:file { getattr open read };
 allow nginx_agent_t self:capability dac_read_search;
 
@@ -124,7 +127,7 @@ allow nginx_agent_t httpd_log_t:file { open read };
 allow nginx_agent_t httpd_t:process signal;
 allow nginx_agent_t httpd_var_run_t:file { open read write };
 allow nginx_agent_t self:capability { dac_override net_bind_service };
-allow nginx_agent_t cert_t:dir { search open read };
+allow nginx_agent_t cert_t:dir { getattr search open read };
 allow nginx_agent_t cert_t:lnk_file read;
 
 
@@ -149,8 +152,15 @@ allow nginx_agent_t self:udp_socket { connect create getattr setopt };
 allow nginx_agent_t fixed_disk_device_t:blk_file getattr;
 allow nginx_agent_t nvme_device_t:blk_file getattr;
 allow nginx_agent_t udev_var_run_t:dir search;
-allow nginx_agent_t udev_var_run_t:file { getattr open read };
+allow nginx_agent_t udev_var_run_t:file { getattr open read write };
 
 allow nginx_agent_t etc_t:dir { add_name write };
 allow nginx_agent_t etc_t:file { create write };
 
+allow nginx_agent_t httpd_var_lib_t:dir { getattr search };
+allow nginx_agent_t unconfined_t:process signal;
+allow nginx_agent_t unreserved_port_t:tcp_socket name_bind;
+allow nginx_agent_t self:cap_userns sys_ptrace;
+allow nginx_agent_t usr_t:dir watch;
+allow nginx_agent_t var_log_t:file { open write };
+allow nginx_agent_t var_run_t:file { open read write };

scripts/selinux/nginx_agent.te

@@ -1,4 +1,4 @@
-.TH  "nginx_agent_selinux"  "8"  "25-03-13" "nginx_agent" "SELinux Policy nginx_agent"
+.TH  "nginx_agent_selinux"  "8"  "25-03-21" "nginx_agent" "SELinux Policy nginx_agent"
 .SH "NAME"
 nginx_agent_selinux \- Security Enhanced Linux Policy for the nginx_agent processes
 .SH "DESCRIPTION"
@@ -243,6 +243,22 @@ The SELinux process type nginx_agent_t can manage files labeled with the followi
 	/var/tmp/vi\.recover
 .br
 
+.br
+.B udev_var_run_t
+
+	/dev/\.udev(/.*)?
+.br
+	/var/run/udev(/.*)?
+.br
+	/var/run/libgpod(/.*)?
+.br
+	/var/run/PackageKit/udev(/.*)?
+.br
+	/dev/\.udevdb
+.br
+	/dev/udev\.tbl
+.br
+
 .br
 .B var_lib_t
 
@@ -251,6 +267,66 @@ The SELinux process type nginx_agent_t can manage files labeled with the followi
 	/var/lib(/.*)?
 .br
 
+.br
+.B var_log_t
+
+	/var/log/.*
+.br
+	/nsr/logs(/.*)?
+.br
+	/var/webmin(/.*)?
+.br
+	/var/log/secure[^/]*
+.br
+	/opt/zimbra/log(/.*)?
+.br
+	/var/log/maillog[^/]*
+.br
+	/var/log/spooler[^/]*
+.br
+	/var/log/messages[^/]*
+.br
+	/usr/centreon/log(/.*)?
+.br
+	/var/spool/rsyslog(/.*)?
+.br
+	/var/axfrdns/log/main(/.*)?
+.br
+	/var/spool/bacula/log(/.*)?
+.br
+	/var/tinydns/log/main(/.*)?
+.br
+	/var/dnscache/log/main(/.*)?
+.br
+	/var/stockmaniac/templates_cache(/.*)?
+.br
+	/opt/Symantec/scspagent/IDS/system(/.*)?
+.br
+	/var/log
+.br
+	/var/log/dmesg
+.br
+	/var/log/syslog
+.br
+	/var/named/chroot/var/log
+.br
+
+.br
+.B var_run_t
+
+	/run/.*
+.br
+	/var/run/.*
+.br
+	/run
+.br
+	/var/run
+.br
+	/var/run
+.br
+	/var/spool/postfix/pid
+.br
+
 .SH FILE CONTEXTS
 SELinux requires files to have an extended attribute to define the file type.
 .PP