[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/

[Jason Zaman]

commit:     3bb0856ee33087c776c358be3fef004f9174d274
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Feb  6 18:57:21 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3bb0856e

Allow fapolicyd to watch /run/netns directory

/run/netns is a tmpfs mountpoint

node=localhost type=AVC msg=audit(1738868630.348:1695): avc:  denied  { 
watch_sb watch_with_perm } for  pid=967 comm="fapolicyd" path="/run/netns" 
dev="tmpfs" ino=1954

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/fapolicyd.te   |  3 +++
 policy/modules/system/sysnetwork.if | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/policy/modules/admin/fapolicyd.te 
b/policy/modules/admin/fapolicyd.te
index ba69a4d55..6274a56a9 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -84,6 +84,9 @@ fs_watch_all_fs(fapolicyd_t)
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
 logging_send_syslog_msg(fapolicyd_t)
 
+sysnet_watch_sb_netns_dirs(fapolicyd_t)
+sysnet_watch_with_perm_netns_dirs(fapolicyd_t)
+
 fapolicyd_mmap_read_config_files(fapolicyd_t)
 
 optional_policy(`

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index c7d4720f1..58103e8c4 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -793,6 +793,42 @@ interface(`sysnet_create_netns_dirs',`
        files_runtime_filetrans($1, ifconfig_runtime_t, dir, "netns")
 ')
 
+########################################
+## <summary>
+##     Watch the /run/netns directory for superblock changes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_watch_sb_netns_dirs',`
+       gen_require(`
+               type ifconfig_runtime_t;
+       ')
+
+       allow $1 ifconfig_runtime_t:dir watch_sb;
+')
+
+########################################
+## <summary>
+##     Watch the /run/netns directory with fanofiy masks
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_watch_with_perm_netns_dirs',`
+       gen_require(`
+               type ifconfig_runtime_t;
+       ')
+
+       allow $1 ifconfig_runtime_t:dir watch_with_perm;
+')
+
 ########################################
 ## <summary>
 ##     Create an object in the /run/netns