Allow systemd-networkd use its private tmpfs files

Additionally, allow init (pid 1) rw access to such files. The commit addresses the following AVC denial: type=AVC msg=audit(12/20/2024 11:24:50.627:296) : avc: denied { read write } for pid=1 comm=systemd path=/memfd:data-fd (deleted) dev="tmpfs" ino=133 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_networkd_tmpfs_t:s0 tclass=file permissive=0
zpytela · Dec 20, 2024 · 3a8d27d · 3a8d27d
1 parent 0d528ae
commit 3a8d27d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -572,6 +572,7 @@ optional_policy(`
     systemd_allow_create_mount_dir(init_t)
     systemd_hostnamed_delete_config(init_t)
 	systemd_manage_conf_files(init_t)
+	systemd_rw_networkd_tmpfs_files(init_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -2734,6 +2734,24 @@ interface(`systemd_networkd_watch_pid_dirs',`
 	allow $1 systemd_networkd_var_run_t:dir watch_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write to systemd-networkd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_rw_networkd_tmpfs_files',`
+	gen_require(`
+		type systemd_networkd_tmpfs_t;
+	')
+
+	allow $1 systemd_networkd_tmpfs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mmap systemd_resolved_exec_t files.