From 56d16a79ae1e596228092f622f1e0cd4590e90c0 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sat, 28 Sep 2019 14:50:50 +0200
Subject: [PATCH] bird: fixes for bird 2.0

Signed-off-by: bauen1 <j2468h@gmail.com>

bird: allow admin to connect to the bird daemon socket

Signed-off-by: bauen1 <j2468h@gmail.com>

bird: read /proc/sys/crypto/fips_enabled

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/services/bird.fc |  2 ++
 policy/modules/services/bird.if |  2 ++
 policy/modules/services/bird.te | 10 ++++++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/bird.fc b/policy/modules/services/bird.fc
index 00739632c..ae343ff97 100644
--- a/policy/modules/services/bird.fc
+++ b/policy/modules/services/bird.fc
@@ -11,3 +11,5 @@
 /var/log/bird\.log.*	--	gen_context(system_u:object_r:bird_log_t,s0)
 
 /run/bird\.ctl	-s	gen_context(system_u:object_r:bird_runtime_t,s0)
+
+/run/bird(/.*)?		gen_context(system_u:object_r:bird_runtime_t,s0)
diff --git a/policy/modules/services/bird.if b/policy/modules/services/bird.if
index 166115276..c0035fc3e 100644
--- a/policy/modules/services/bird.if
+++ b/policy/modules/services/bird.if
@@ -36,4 +36,6 @@ interface(`bird_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, bird_runtime_t)
+
+	stream_connect_pattern($1, bird_runtime_t, bird_runtime_t, bird_t)
 ')
diff --git a/policy/modules/services/bird.te b/policy/modules/services/bird.te
index 5592ac361..0cbc084ed 100644
--- a/policy/modules/services/bird.te
+++ b/policy/modules/services/bird.te
@@ -26,17 +26,23 @@ files_pid_file(bird_runtime_t)
 # Local policy
 #
 
-allow bird_t self:capability net_admin;
+allow bird_t self:capability { net_admin net_raw };
 allow bird_t self:netlink_route_socket create_netlink_socket_perms;
 allow bird_t self:tcp_socket create_stream_socket_perms;
+allow bird_t self:unix_stream_socket create_stream_socket_perms;
+allow bird_t self:rawip_socket { create read write setopt };
 
 allow bird_t bird_etc_t:file read_file_perms;
+allow bird_t bird_etc_t:dir list_dir_perms;
 
 allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms };
 logging_log_filetrans(bird_t, bird_log_t, file)
 
 allow bird_t bird_runtime_t:sock_file manage_sock_file_perms;
-files_pid_filetrans(bird_t, bird_runtime_t, sock_file)
+allow bird_t bird_runtime_t:dir manage_dir_perms;
+files_pid_filetrans(bird_t, bird_runtime_t, { sock_file dir })
+
+kernel_read_crypto_sysctls(bird_t)
 
 corenet_all_recvfrom_unlabeled(bird_t)
 corenet_all_recvfrom_netlabel(bird_t)