cloud-init: Allow use of sudo in runcmd.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>

policy/modules/admin/cloudinit.te

@@ -114,6 +114,20 @@ optional_policy(`
 	rpm_domtrans(cloud_init_t)
 ')
 
+optional_policy(`
+	# If sudo is used in runcmd:
+	allow cloud_init_t self:capability sys_resource;
+	allow cloud_init_t self:process { setrlimit setsched };
+
+	sudo_exec(cloud_init_t)
+
+	userdom_search_user_runtime(cloud_init_t)
+
+	optional_policy(`
+		systemd_write_inherited_logind_sessions_pipes(cloud_init_t)
+	')
+')
+
 optional_policy(`
 	systemd_dbus_chat_hostnamed(cloud_init_t)
 ')

policy/modules/admin/sudo.if

@@ -230,3 +230,22 @@ interface(`sudo_sigchld',`
 
 	allow $1 sudodomain:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Execute sudo in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sudo_exec',`
+	gen_require(`
+		type sudo_exec_t;
+	')
+
+	can_exec($1, sudo_exec_t)
+	corecmd_search_bin($1)
+')