selinux-refpolicy/support
Nicolas Iooss 73f9c0c4ef Vagrant: allow VirtualBox provisionning to use dhclient and ip
When provisioning a Debian test virtual machine with VirtualBox (using
the main Vagrantfile), vagrant runs commands dhclient and ip from a ssh
session because of this directive:

    debian.vm.network "private_network", type: "dhcp"

This triggers:

    type=AVC msg=audit(1578749426.820:68): avc:  denied  { write } for
    pid=541 comm="dhclient" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:dhcpc_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749426.820:68):
    proctitle=2F7362696E2F6468636C69656E74002D34002D76002D69002D72002D
    7066002F72756E2F6468636C69656E742E657468312E706964002D6C66002F7661
    722F6C69622F646863702F6468636C69656E742E657468312E6C6561736573002D
    49002D6466002F7661722F6C69622F646863702F6468636C69656E74362E657468
    31

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { read } for
    pid=544 comm="ip" path="pipe:[14005]" dev="pipefs" ino=14005
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=AVC msg=audit(1578749427.868:69): avc:  denied  { write } for
    pid=544 comm="ip" path="pipe:[14006]" dev="pipefs" ino=14006
    scontext=unconfined_u:unconfined_r:ifconfig_t
    tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1

    type=PROCTITLE msg=audit(1578749427.868:69):
    proctitle=6970002D34006164647200666C757368006465760065746831006C61
    62656C0065746831

Handle this by adding attribute vagrant_provisioning_cmd_type to the
relevant domains, in the policy module specific to the Vagrant test
environments.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-01-12 22:45:18 +01:00
..
comment_move_decl.sed refpolicy: Infiniband pkeys and endports 2017-05-24 19:23:18 -04:00
divert.m4 Fix infrastructure to expand macros in initrc_context when installing. 2009-08-10 14:00:34 -04:00
fatal_error.m4 m4 errprint: add __program__ info 2017-03-08 17:16:27 +01:00
fc_sort.py fc_sort.py: Use "==" for comparing integers. 2019-10-08 15:45:27 -04:00
genclassperms.py convert build scripts to python3 2017-03-15 02:09:20 +01:00
genhomedircon.py Remove incorrect usages of "is" operator from Python scripts. 2019-11-23 10:12:53 -05:00
gennetfilter.py convert build scripts to python3 2017-03-15 02:09:20 +01:00
gentemplates.sh Add gentemplates.sh to extract template content 2018-06-10 13:23:01 -04:00
get_type_attr_decl.sed Move role declarations to the top of base.conf 2012-02-29 12:08:22 -05:00
iferror.m4 trunk: Add iferror.m4 rather generate it out of the Makefiles. 2008-03-06 20:17:46 +00:00
Makefile.devel Fix find commands in Makefiles 2019-05-22 09:00:23 +02:00
policyvers.py fix travis and genhomedircon 2017-03-18 18:38:20 +01:00
pyplate.py Use raw strings in regular expressions 2017-04-08 12:29:07 +02:00
sedoctool.py Remove incorrect usages of "is" operator from Python scripts. 2019-11-23 10:12:53 -05:00
segenxml.py segenxml.py: fix format usage in warning message 2019-10-01 20:38:58 +02:00
selinux-policy-refpolicy.spec Switch all remaining Python references to the Python 3 interpreter. 2018-05-31 17:41:59 -04:00
selinux-refpolicy-sources.spec.skel Switch all remaining Python references to the Python 3 interpreter. 2018-05-31 17:41:59 -04:00
set_bools_tuns.awk remove trailing whitespaces 2016-12-06 13:45:13 +01:00
undivert.m4 Fix infrastructure to expand macros in initrc_context when installing. 2009-08-10 14:00:34 -04:00
vagrant-vm.cil Vagrant: allow VirtualBox provisionning to use dhclient and ip 2020-01-12 22:45:18 +01:00