selinux: Add rules for sysctl and /proc/net accesses

That's what we actually need to check networking-related sysctls,
to scan for bound ports, and to manipulate bits of network
configuration inside pasta's target namespaces.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Richard W.M. Jones <rjones@redhat.com>
This commit is contained in:
Stefano Brivio 2023-08-15 19:50:48 +02:00
parent 56b8633a6b
commit 977652155d
2 changed files with 4 additions and 0 deletions

View file

@ -103,6 +103,7 @@ allow passt_t net_conf_t:file { open read };
allow passt_t net_conf_t:lnk_file read; allow passt_t net_conf_t:lnk_file read;
allow passt_t tmp_t:sock_file { create unlink write }; allow passt_t tmp_t:sock_file { create unlink write };
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt }; allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
kernel_search_network_sysctl(passt_t)
corenet_tcp_bind_all_nodes(passt_t) corenet_tcp_bind_all_nodes(passt_t)
corenet_udp_bind_all_nodes(passt_t) corenet_udp_bind_all_nodes(passt_t)

View file

@ -133,6 +133,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
allow pasta_t proc_net_t:file { open read }; allow pasta_t proc_net_t:file { open read };
allow pasta_t net_conf_t:file { open read }; allow pasta_t net_conf_t:file { open read };
allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write }; allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
kernel_search_network_sysctl(pasta_t)
allow pasta_t tmp_t:sock_file { create unlink write }; allow pasta_t tmp_t:sock_file { create unlink write };
@ -186,4 +187,6 @@ allow pasta_t sysctl_net_t:dir search;
allow pasta_t sysctl_net_t:file { open write }; allow pasta_t sysctl_net_t:file { open write };
allow pasta_t kernel_t:system module_request; allow pasta_t kernel_t:system module_request;
allow pasta_t net_conf_t:lnk_file read;
allow pasta_t proc_net_t:lnk_file read;