Allow cloud_init create dhclient var files and init_t manage net_conf_t

Add macro to allow domain read, write, create and delete network config pipes. Allow init_t rw net_conf_t fifo files. Cloud init listens on the FIFO file /run/cloud-init/hook-hotplug-cmd, which is created during a udev network Addresses the following denials: type=AVC msg=audit(07/28/2023 09:10:59.598:306) : avc: denied { add_name } for pid=1 comm=systemd name=hook-hotplug-cmd scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(07/28/2023 09:10:59.598:307) : avc: denied { create } for pid=1 comm=systemd name=hook-hotplug-cmd scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=fifo_file permissive=1 ---- type=AVC msg=audit(07/28/2023 09:10:59.598:308) : avc: denied { read write } for pid=1 comm=systemd name=hook-hotplug-cmd dev="tmpfs" ino=1069 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=fifo_file permissive=1 ---- type=AVC msg=audit(07/28/2023 09:10:59.598:309) : avc: denied { open } for pid=1 comm=systemd path=/run/cloud-init/hook-hotplug-cmd dev="tmpfs" ino=1069 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=fifo_file permissive=1 Resolves: rhbz#2225418
fedora-selinux · Aug 11, 2023 · cbd3b21 · cbd3b21
1 parent f4e9f9d
commit cbd3b21
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/policy/modules/contrib/cloudform.te b/policy/modules/contrib/cloudform.te
@@ -164,6 +164,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+    sysnet_domtrans_dhcpc(cloud_init_t)
     sysnet_domtrans_ifconfig(cloud_init_t)
     sysnet_read_dhcpc_state(cloud_init_t)
     sysnet_dns_name_resolve(cloud_init_t)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -870,6 +870,7 @@ optional_policy(`
 
 optional_policy(`
     sysnet_filetrans_cloud_net_conf(init_t)
+    sysnet_manage_config_pipes(init_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
@@ -634,6 +634,25 @@ interface(`sysnet_manage_config_dirs',`
 	manage_dirs_pattern($1, net_conf_t, net_conf_t)
 ')
 
+########################################
+## <summary>
+##	Create, read, write and delete 
+##      network config pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_config_pipes',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	manage_fifo_files_pattern($1, net_conf_t, net_conf_t)
+')
+
 #######################################
 ## <summary>
 ##	Read the dhcp client pid file.