From b025e0ec4f04a8e5d9e5b65824a48cda90568a8f Mon Sep 17 00:00:00 2001
From: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
Date: Sat, 1 Mar 2025 23:00:20 +0000
Subject: [PATCH] Add setcap to knotd / add knotc_initrc_domtrans

allow capabilities as it's the default behavior now

allow knotc cmd in init script: knotc conf-check (by default)

Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
---
 policy/modules/services/knot.if | 19 +++++++++++++++++++
 policy/modules/services/knot.te |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if
index 247bb6c94..af98c44ee 100644
--- a/policy/modules/services/knot.if
+++ b/policy/modules/services/knot.if
@@ -45,6 +45,25 @@ interface(`knot_run_client',`
 	roleattribute $2 knot_roles;
 ')
 
+########################################
+## <summary>
+##      Execute knotc in knot init
+##      scripts in the initrc domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`knotc_initrc_domtrans',`
+        gen_require(`
+                type knot_initrc_exec_t;
+        ')
+
+        init_labeled_script_domtrans($1, knot_initrc_exec_t)
+')
+
 ########################################
 ## <summary>
 ##      Read knot config files.
diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te
index d658d973c..9b5b83173 100644
--- a/policy/modules/services/knot.te
+++ b/policy/modules/services/knot.te
@@ -38,7 +38,7 @@ files_type(knot_var_lib_t)
 #
 
 allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
-allow knotd_t self:process { getcap getsched setsched signal_perms };
+allow knotd_t self:process { getcap getsched setcap setsched signal_perms };
 allow knotd_t self:tcp_socket create_stream_socket_perms;
 allow knotd_t self:udp_socket create_socket_perms;
 allow knotd_t self:unix_stream_socket create_stream_socket_perms;