Add policy for insights-core

The insights_core_t domain is used by the insights client with
explicit transition using setexecfilecon().

policy/modules/contrib/insights_client.if

@@ -320,3 +320,24 @@ interface(`insights_client_write_tmp',`
 	files_search_tmp($1)
 	write_files_pattern($1, insights_client_tmp_t, insights_client_tmp_t)
 ')
+
+########################################
+## <summary>
+##	Allow explicit transition to insights_core_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`insights_domtrans_core',`
+	gen_require(`
+		type insights_core_t;
+	')
+
+	allow $1 insights_core_t: process transition;
+	allow insights_core_t $1:fd use;
+	allow insights_core_t $1:fifo_file rw_file_perms;
+	allow insights_core_t $1:process sigchld;
+')

policy/modules/contrib/insights_client.te

@@ -43,6 +43,13 @@ files_tmpfs_file(insights_client_tmpfs_t)
 type insights_client_unit_file_t;
 systemd_unit_file(insights_client_unit_file_t)
 
+type insights_core_t;
+role system_r types insights_core_t;
+domain_type(insights_core_t)
+
+type insights_core_tmp_t;
+files_tmp_file(insights_core_tmp_t)
+
 ########################################
 #
 # insights_client local policy
@@ -417,3 +424,120 @@ optional_policy(`
 optional_policy(`
 	virt_stream_connect(insights_client_t)
 ')
+
+########################################
+#
+# insights_core local policy
+#
+
+# an explicit transition using setexecfilecon()
+insights_domtrans_core(insights_client_t)
+
+#allow insights_core_t self:socket_class_set create_socket_perms;
+allow insights_core_t self:appletalk_socket create_socket_perms;
+allow insights_core_t self:ax25_socket create_socket_perms;
+allow insights_core_t self:ipx_socket create_socket_perms;
+allow insights_core_t self:netlink_route_socket r_netlink_socket_perms;
+allow insights_core_t self:netlink_tcpdiag_socket create_socket_perms;
+allow insights_core_t self:netrom_socket create_socket_perms;
+allow insights_core_t self:rose_socket create_socket_perms;
+allow insights_core_t self:socket create_socket_perms;
+allow insights_core_t self:tcp_socket create_stream_socket_perms;
+allow insights_core_t self:udp_socket create_socket_perms;
+allow insights_core_t self:unix_dgram_socket create_socket_perms;
+allow insights_core_t self:x25_socket create_socket_perms;
+
+manage_dirs_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
+manage_files_pattern(insights_core_t, insights_core_tmp_t, insights_core_tmp_t)
+files_tmp_filetrans(insights_core_t, insights_core_tmp_t, { dir file })
+
+read_files_pattern(insights_core_t, insights_client_cache_t, insights_client_cache_t)
+create_files_pattern(insights_core_t, insights_client_cache_t, insights_client_cache_t)
+allow insights_core_t insights_client_cache_t:file { write };
+
+read_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
+create_files_pattern(insights_core_t, insights_client_etc_t, insights_client_etc_t)
+#allow insights_core_t insights_client_etc_t:file { write };
+allow insights_core_t insights_client_etc_rw_t:file { getattr ioctl open read write };
+
+rw_files_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
+create_files_pattern(insights_core_t, insights_client_var_lib_t, insights_client_var_lib_t)
+
+append_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
+create_files_pattern(insights_core_t, insights_client_var_log_t, insights_client_var_log_t)
+allow insights_core_t insights_client_tmp_t:file { open };
+
+kernel_read_proc_files(insights_core_t)
+kernel_list_proc(insights_core_t)
+kernel_read_fs_sysctls(insights_core_t)
+kernel_read_network_state_symlinks(insights_core_t)
+kernel_read_software_raid_state(insights_core_t)
+kernel_read_sysctl(insights_core_t)
+kernel_view_key(insights_core_t)
+
+corecmd_bin_entry_type(insights_core_t)
+corecmd_exec_bin(insights_core_t)
+
+corenet_tcp_bind_generic_node(insights_core_t)
+corenet_tcp_connect_http_port(insights_core_t)
+
+dev_getattr_apm_bios_dev(insights_core_t)
+dev_getattr_autofs_dev(insights_core_t)
+dev_getattr_cpu_dev(insights_core_t)
+dev_getattr_dri_dev(insights_core_t)
+dev_getattr_generic_usb_dev(insights_core_t)
+dev_getattr_input_dev(insights_core_t)
+dev_getattr_loop_control(insights_core_t)
+dev_getattr_lvm_control(insights_core_t)
+dev_getattr_mouse_dev(insights_core_t)
+dev_getattr_netcontrol_dev(insights_core_t)
+dev_getattr_sound_dev(insights_core_t)
+dev_getattr_vfio_dev(insights_core_t)
+dev_getattr_xserver_misc_dev(insights_core_t)
+dev_read_sysfs(insights_core_t)
+
+files_getattr_all_files(insights_client_t)
+files_getattr_all_blk_files(insights_client_t)
+files_getattr_all_chr_files(insights_client_t)
+files_getattr_all_file_type_fs(insights_client_t)
+files_getattr_all_pipes(insights_client_t)
+files_getattr_all_sockets(insights_client_t)
+files_read_all_symlinks(insights_client_t)
+
+optional_policy(`
+	auth_read_passwd_file(insights_core_t)
+')
+
+optional_policy(`
+	gnome_search_gconf(insights_core_t)
+')
+
+optional_policy(`
+	gpg_entry_type(insights_core_t)
+	gpg_exec(insights_core_t)
+')
+
+optional_policy(`
+	init_rw_stream_sockets(insights_core_t)
+	init_view_key(insights_core_t)
+')
+
+optional_policy(`
+	libs_exec_ldconfig(insights_core_t)
+')
+
+optional_policy(`
+	miscfiles_read_generic_certs(insights_core_t)
+')
+
+optional_policy(`
+	rhsmcertd_read_config_files(insights_core_t)
+')
+
+optional_policy(`
+	sysnet_read_config(insights_core_t)
+')
+
+optional_policy(`
+	userdom_search_user_tmp_dirs(insights_core_t)
+')