Allow ip an explicit domain transition to other domains

The ip-vrf command can be used to manage virtual routing of other network services. This commit backs the use case with allowing an explicit domain transition from ip to httpd, sshd, and named using setexeccon(3) and additionally a few related permissions. Resolves: RHEL-9981
zpytela · Nov 7, 2023 · 7789075 · 7789075
1 parent d901854
commit 7789075
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
@@ -309,7 +309,9 @@ optional_policy(`
 # Ifconfig local policy
 #
 
+allow ifconfig_t self:bpf { prog_load prog_run };
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+allow ifconfig_t self:capability2 { bpf perfmon };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -385,6 +387,8 @@ files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 files_read_usr_files(ifconfig_t)
 
+fs_manage_cgroup_dirs(ifconfig_t)
+fs_rw_cgroup_files(ifconfig_t)
 fs_getattr_xattr_fs(ifconfig_t)
 fs_unmount_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
@@ -393,6 +397,7 @@ fs_mount_nsfs(ifconfig_t)
 fs_unmount_nsfs(ifconfig_t)
 
 selinux_dontaudit_getattr_fs(ifconfig_t)
+selinux_compute_create_context(ifconfig_t)
 
 term_dontaudit_use_console(ifconfig_t)
 term_dontaudit_use_all_ttys(ifconfig_t)
@@ -429,6 +434,14 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	apache_domtrans(ifconfig_t)
+')
+
+optional_policy(`
+	bind_domtrans(ifconfig_t)
+')
+
 optional_policy(`
 	brctl_domtrans(ifconfig_t)
 ')
@@ -488,6 +501,10 @@ optional_policy(`
 	ppp_use_fds(ifconfig_t)
 ')
 
+optional_policy(`
+	ssh_domtrans(ifconfig_t)
+')
+
 optional_policy(`
 	unconfined_dontaudit_rw_pipes(ifconfig_t)
 ')