From 3a8d27d65a696020e25797bff38463cd3fde81fb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 20 Dec 2024 17:44:47 +0100
Subject: [PATCH] Allow systemd-networkd use its private tmpfs files

Additionally, allow init (pid 1) rw access to such files.

The commit addresses the following AVC denial:
type=AVC msg=audit(12/20/2024 11:24:50.627:296) : avc:  denied  { read write } for  pid=1 comm=systemd path=/memfd:data-fd (deleted) dev="tmpfs" ino=133 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_networkd_tmpfs_t:s0 tclass=file permissive=0
---
 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d2c0219b62..c832bffe8f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -572,6 +572,7 @@ optional_policy(`
     systemd_allow_create_mount_dir(init_t)
     systemd_hostnamed_delete_config(init_t)
 	systemd_manage_conf_files(init_t)
+	systemd_rw_networkd_tmpfs_files(init_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 20363fa30d..df57f42283 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2734,6 +2734,24 @@ interface(`systemd_networkd_watch_pid_dirs',`
 	allow $1 systemd_networkd_var_run_t:dir watch_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write to systemd-networkd tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_rw_networkd_tmpfs_files',`
+	gen_require(`
+		type systemd_networkd_tmpfs_t;
+	')
+
+	allow $1 systemd_networkd_tmpfs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mmap systemd_resolved_exec_t files.