From 578375480d40a40823960d3d72ed00f38f742fbf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Wed, 15 May 2024 11:04:51 -0400
Subject: [PATCH] sysnetwork: allow ifconfig to read usr files

ip wants to read files in /usr/share/iproute2.

type=AVC msg=audit(1715785441.968:297208): avc:  denied  { read } for  pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b5607a2da..8d265a7cc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -343,6 +343,7 @@ domain_use_interactive_fds(ifconfig_t)
 
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
 
 fs_getattr_xattr_fs(ifconfig_t)
 fs_read_nsfs_files(ifconfig_t)