Commit Graph

2 Commits

Author SHA1 Message Date
Nicolas Iooss
73f9c0c4ef Vagrant: allow VirtualBox provisionning to use dhclient and ip
When provisioning a Debian test virtual machine with VirtualBox (using
the main Vagrantfile), vagrant runs commands dhclient and ip from a ssh
session because of this directive:

    debian.vm.network "private_network", type: "dhcp"

This triggers:

    type=AVC msg=audit(1578749426.820:68): avc:  denied  { write } for
    pid=541 comm="dhclient" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:dhcpc_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749426.820:68):
    proctitle=2F7362696E2F6468636C69656E74002D34002D76002D69002D72002D
    7066002F72756E2F6468636C69656E742E657468312E706964002D6C66002F7661
    722F6C69622F646863702F6468636C69656E742E657468312E6C6561736573002D
    49002D6466002F7661722F6C69622F646863702F6468636C69656E74362E657468
    31

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { read } for
    pid=544 comm="ip" path="pipe:[14005]" dev="pipefs" ino=14005
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { write } for
    pid=544 comm="ip" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749427.868:69):
    proctitle=6970002D34006164647200666C757368006465760065746831006C61
    62656C0065746831

Handle this by adding attribute vagrant_provisioning_cmd_type to the
relevant domains, in the policy module specific to the Vagrant test
environments.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:45:18 +01:00
Nicolas Iooss
7317bd64c0
Vagrantfile: add a specific SELinux policy module
When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 18:17:36 +01:00