diff options
author | Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2022-05-02 18:14:55 +0000 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2022-09-03 11:41:55 -0700 |
commit | c333d1b1ae191345652781ccd9d79f6e6f4a16a2 (patch) | |
tree | a246fd13a50b549f2f722d08e4f5ad0ce483da8e | |
parent | devices: Add file context for /dev/vhost-vsock. (diff) | |
download | hardened-refpolicy-c333d1b1ae191345652781ccd9d79f6e6f4a16a2.tar.gz hardened-refpolicy-c333d1b1ae191345652781ccd9d79f6e6f4a16a2.tar.bz2 hardened-refpolicy-c333d1b1ae191345652781ccd9d79f6e6f4a16a2.zip |
iptables: Ioctl cgroup dirs.
avc: denied { ioctl } for pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/kernel/filesystem.if | 19 | ||||
-rw-r--r-- | policy/modules/system/iptables.te | 1 |
2 files changed, 20 insertions, 0 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index cf075a229..fcdb49b61 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -772,6 +772,25 @@ interface(`fs_list_cgroup_dirs', ` ######################################## ## <summary> +## Ioctl cgroup directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_ioctl_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir ioctl; + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Delete cgroup directories. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 9e80a9ecc..2004bb813 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -75,6 +75,7 @@ dev_dontaudit_write_mtrr(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) fs_list_inotifyfs(iptables_t) +fs_ioctl_cgroup_dirs(iptables_t) mls_file_read_all_levels(iptables_t) |