From da00af282f14e60bd39544182d12b1d16dc7989e Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 19 Oct 2023 22:46:01 +0200 Subject: [PATCH] Allow virtnetworkd domain transition on tc command execution The tc command is from the iproute-tc (Linux Traffic Control utility) package and has the ifconfig_exec_t type, as well as the ip command. The commit addresses the following issues reported in journal: hostname audit[1112]: AVC avc: denied { execute } for pid=1112 comm="rpc-virtnetwork" name="tc" dev="vda5" ino=71062 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 hostname virtnetworkd[1112]: Cannot find 'tc' in path: No such file or directory --- policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index af18689495..e2fef557a8 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1885,6 +1885,7 @@ corenet_rw_tun_tap_dev(virtnetworkd_t) dev_rw_sysfs(virtnetworkd_t) +sysnet_domtrans_ifconfig(virtnetworkd_t) sysnet_read_config(virtnetworkd_t) optional_policy(`