From 77890750330d424a9b44994275774393a9c769f6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 6 Nov 2023 15:55:56 +0100
Subject: [PATCH] Allow ip an explicit domain transition to other domains

The ip-vrf command can be used to manage virtual routing of other
network services. This commit backs the use case with allowing an explicit
domain transition from ip to httpd, sshd, and named using setexeccon(3)
and additionally a few related permissions.

Resolves: RHEL-9981
---
 policy/modules/system/sysnetwork.te | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 41b851f411..e0f1103d39 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -309,7 +309,9 @@ optional_policy(`
 # Ifconfig local policy
 #
 
+allow ifconfig_t self:bpf { prog_load prog_run };
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+allow ifconfig_t self:capability2 { bpf perfmon };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -385,6 +387,8 @@ files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 files_read_usr_files(ifconfig_t)
 
+fs_manage_cgroup_dirs(ifconfig_t)
+fs_rw_cgroup_files(ifconfig_t)
 fs_getattr_xattr_fs(ifconfig_t)
 fs_unmount_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
@@ -393,6 +397,7 @@ fs_mount_nsfs(ifconfig_t)
 fs_unmount_nsfs(ifconfig_t)
 
 selinux_dontaudit_getattr_fs(ifconfig_t)
+selinux_compute_create_context(ifconfig_t)
 
 term_dontaudit_use_console(ifconfig_t)
 term_dontaudit_use_all_ttys(ifconfig_t)
@@ -429,6 +434,14 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	apache_domtrans(ifconfig_t)
+')
+
+optional_policy(`
+	bind_domtrans(ifconfig_t)
+')
+
 optional_policy(`
 	brctl_domtrans(ifconfig_t)
 ')
@@ -488,6 +501,10 @@ optional_policy(`
 	ppp_use_fds(ifconfig_t)
 ')
 
+optional_policy(`
+	ssh_domtrans(ifconfig_t)
+')
+
 optional_policy(`
 	unconfined_dontaudit_rw_pipes(ifconfig_t)
 ')