Draft: Add insights_core policy files

policy/modules/contrib/insights_core.fc

@@ -0,0 +1,6 @@
+/var/cache/insights(/.*)?					gen_context(system_u:object_r:insights_core_cache_t,s0)
+/var/cache/insights-client(/.*)?				gen_context(system_u:object_r:insights_core_cache_t,s0)
+
+/tmp/insights-client\.ppid	--				gen_context(system_u:object_r:insights_core_tmp_t,s0)
+/var/tmp/insights-client\.ppid	--				gen_context(system_u:object_r:insights_core_tmp_t,s0)
+/var/tmp/insights-client(/.*)?					gen_context(system_u:object_r:insights_core_tmp_t,s0)

policy/modules/contrib/insights_core.if

@@ -0,0 +1,61 @@
+## <summary>policy for insights_core</summary>
+
+########################################
+## <summary>
+##	Allow explicit transition to insights_core_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`insights_core_domtrans',`
+	gen_require(`
+		type insights_core_t;
+	')
+
+	allow $1 insights_core_t: process transition;
+	allow insights_core_t $1:fd use;
+	allow insights_core_t $1:fifo_file rw_file_perms;
+	allow insights_core_t $1:process sigchld;
+	allow insights_core_t $1:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Write to an insights_core unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`insights_core_write_pipes',`
+	gen_require(`
+		type insights_core_t;
+	')
+
+	allow $1 insights_core_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Read insights_client lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`insights_core_read_lib_files',`
+	gen_require(`
+		type insights_core_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, insights_core_var_lib_t, insights_core_var_lib_t)
+	allow $1 insights_core_var_lib_t:file map;
+')