Users with selinux enforcing system will want to confine otelcol using selinux policy
I've put together an example selinux policy that works on my Fedora 36 developer environment laptop.
https://github.com/jspaleta/opentelemetry-collector-selinux-policies/tree/main/otelcol-sumo
You can compile and install the selinux policy using the otelcol-sumo.sh script provided in that directory assuming you have the selinux policy development tools installed.
From there its a matter of adding additional policy allow/deny statements to the otelcol_sumo.te file as additional otelcol workloads are added. For example the reference policy needs to be extended to read mysql logs.
Important note, the otelcol_sumo.te provided in that repository makes reference to existing selinux policy functions that might be specific to Fedora 36. This policy may need to be refactored to better support selinux for specific releases of selinux targets. Example RHEL 7 might not define all the policy functions in use in the reference policy I created.
here's a SumoLogic slack conversation reference concerning a customer ask for reference selinux policy:
https://sumologic.slack.com/archives/C01KD5GHQ5C/p1661885266713369
Users with selinux enforcing system will want to confine otelcol using selinux policy
I've put together an example selinux policy that works on my Fedora 36 developer environment laptop.
https://github.com/jspaleta/opentelemetry-collector-selinux-policies/tree/main/otelcol-sumo
You can compile and install the selinux policy using the
otelcol-sumo.shscript provided in that directory assuming you have the selinux policy development tools installed.From there its a matter of adding additional policy allow/deny statements to the
otelcol_sumo.tefile as additional otelcol workloads are added. For example the reference policy needs to be extended to read mysql logs.Important note, the
otelcol_sumo.teprovided in that repository makes reference to existing selinux policy functions that might be specific to Fedora 36. This policy may need to be refactored to better support selinux for specific releases of selinux targets. Example RHEL 7 might not define all the policy functions in use in the reference policy I created.here's a SumoLogic slack conversation reference concerning a customer ask for reference selinux policy:
https://sumologic.slack.com/archives/C01KD5GHQ5C/p1661885266713369