-
Notifications
You must be signed in to change notification settings - Fork 10
/
otel_collector_journald.te
42 lines (32 loc) · 1.51 KB
/
otel_collector_journald.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
module otel_collector_journald 1.0;
require {
type journalctl_t;
type syslogd_t;
type usr_t;
class file { read open execute };
class dir { search open };
class service status;
class process transition;
class tcp_socket { read write connect create getattr setattr };
class udp_socket { read write connect create getattr setattr };
}
# Define the new type for the OpenTelemetry Collector process
type otel_collector_t;
type otel_collector_exec_t;
# Allow the execution of the collector binary with the correct label
allow usr_t otel_collector_exec_t:file { read execute open };
allow otel_collector_t otel_collector_exec_t:file { read execute open };
# Allow the transition from usr_t to otel_collector_t
type_transition usr_t otel_collector_exec_t:process otel_collector_t;
# Allow otel_collector_t to read journald logs
allow otel_collector_t journalctl_t:file { read open };
# Allow otel_collector_t to search and open directories of journald logs
allow otel_collector_t journalctl_t:dir { search open };
# Allow otel_collector_t to get the status of journald
allow otel_collector_t journalctl_t:service status;
# Allow otel_collector_t to get the status of syslogd
allow otel_collector_t syslogd_t:service status;
# Allow otel_collector_t to create and use TCP sockets
allow otel_collector_t self:tcp_socket { read write connect create getattr setattr };
# Allow otel_collector_t to create and use UDP sockets
allow otel_collector_t self:udp_socket { read write connect create getattr setattr };