From ac5d0724651476178ea1278589ef6ec54fc3c409 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Thu, 26 Sep 2013 23:46:32 +0200
Subject: [PATCH] sysnetwork: Debian stores network interface configuration in
 /run/network (ifstate), That directory is created by the
 /etc/init.d/networking script.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/sysnetwork.fc |  5 +++++
 policy/modules/system/sysnetwork.if | 13 ++++++++++++-
 policy/modules/system/sysnetwork.te |  4 ++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 346a7cc8b..40edc18ab 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -72,3 +72,8 @@ ifdef(`distro_redhat',`
 ifdef(`distro_gentoo',`
 /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 ')
+
+ifdef(`distro_debian',`
+/var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+')
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 694452668..fb0b50e31 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -287,7 +287,7 @@ interface(`sysnet_setattr_config',`
 	')
 
 	files_search_etc($1)
-	allow $1 net_conf_t:file setattr;
+	allow $1 net_conf_t:file setattr_file_perms;
 ')
 
 #######################################
@@ -333,6 +333,12 @@ interface(`sysnet_read_config',`
 		allow $1 net_conf_t:dir list_dir_perms;
 		read_files_pattern($1, net_conf_t, net_conf_t)
 	')
+
+	ifdef(`distro_debian',`
+		files_search_pids($1)
+		allow $1 net_conf_t:dir list_dir_perms;
+		read_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')
 
 #######################################
@@ -435,6 +441,11 @@ interface(`sysnet_manage_config',`
 	ifdef(`distro_redhat',`
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 	')
+
+	ifdef(`distro_debian',`
+		files_search_pids($1)
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')
 
 #######################################
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 18f87b77b..f2d165a30 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -39,6 +39,10 @@ role system_r types ifconfig_t;
 type net_conf_t alias resolv_conf_t;
 files_type(net_conf_t)
 
+ifdef(`distro_debian',`
+	init_daemon_run_dir(net_conf_t, "network")
+')
+
 ########################################
 #
 # DHCP client local policy