selinux: Add rules for sysctl and /proc/net accesses

That's what we actually need to check networking-related sysctls,
to scan for bound ports, and to manipulate bits of network
configuration inside pasta's target namespaces.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Richard W.M. Jones <rjones@redhat.com>

contrib/selinux/passt.te

@@ -103,6 +103,7 @@ allow passt_t net_conf_t:file { open read };
 allow passt_t net_conf_t:lnk_file read;
 allow passt_t tmp_t:sock_file { create unlink write };
 allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
+kernel_search_network_sysctl(passt_t)
 
 corenet_tcp_bind_all_nodes(passt_t)
 corenet_udp_bind_all_nodes(passt_t)

contrib/selinux/pasta.te

@@ -133,6 +133,7 @@ allow syslogd_t self:cap_userns sys_ptrace;
 allow pasta_t proc_net_t:file { open read };
 allow pasta_t net_conf_t:file { open read };
 allow pasta_t self:netlink_route_socket { bind create nlmsg_read nlmsg_write setopt read write };
+kernel_search_network_sysctl(pasta_t)
 
 allow pasta_t tmp_t:sock_file { create unlink write };
 
@@ -186,4 +187,6 @@ allow pasta_t sysctl_net_t:dir search;
 allow pasta_t sysctl_net_t:file { open write };
 allow pasta_t kernel_t:system module_request;
 
+allow pasta_t net_conf_t:lnk_file read;
+allow pasta_t proc_net_t:lnk_file read;