Allow named and ndc the io_uring sqpoll permission

The commit addresses the following example AVC denial: type=PROCTITLE msg=audit(07/18/2023 11:57:52.157:925) : proctitle=/usr/sbin/named -u named -c /etc/named.conf type=SYSCALL msg=audit(07/18/2023 11:57:52.157:925) : arch=x86_64 syscall=io_uring_setup success=no exit=EACCES(Permission denied) a0=0x40 a1=0x7fffbb6a9020 a2=0x0 a3=0x56537b7683f0 items=0 ppid=35360 pid=35361 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(07/18/2023 11:57:52.157:925) : avc: denied { sqpoll } for pid=35361 comm=named scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=io_uring permissive=0
fedora-selinux · Sep 29, 2023 · 6609752 · 6609752
1 parent 0647928
commit 6609752
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
@@ -77,6 +77,7 @@ role ndc_roles types ndc_t;
 allow named_t self:capability { chown dac_read_search dac_override fowner kill net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
 allow named_t self:capability2 block_suspend;
+allow named_t self:io_uring sqpoll;
 allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept connectto listen };
@@ -262,6 +263,7 @@ optional_policy(`
 
 allow ndc_t self:capability { dac_read_search  net_admin };
 allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:io_uring sqpoll;
 allow ndc_t self:process { fork signal_perms };
 dontaudit ndc_t self:process setsched;
 allow ndc_t self:fifo_file rw_fifo_file_perms;