Merge pull request #859 from dsugar100/fapolicyd_watch_network_namespace

Allow fapolicyd to watch /run/netns

Author: pebenito

policy/modules/admin/fapolicyd.te

@@ -84,6 +84,9 @@ fs_watch_all_fs(fapolicyd_t)
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
 logging_send_syslog_msg(fapolicyd_t)
 
+sysnet_watch_sb_netns_dirs(fapolicyd_t)
+sysnet_watch_with_perm_netns_dirs(fapolicyd_t)
+
 fapolicyd_mmap_read_config_files(fapolicyd_t)
 
 optional_policy(`

policy/modules/system/sysnetwork.if

@@ -793,6 +793,42 @@ interface(`sysnet_create_netns_dirs',`
 	files_runtime_filetrans($1, ifconfig_runtime_t, dir, "netns")
 ')
 
+########################################
+## <summary>
+##	Watch the /run/netns directory for superblock changes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_watch_sb_netns_dirs',`
+	gen_require(`
+		type ifconfig_runtime_t;
+	')
+
+	allow $1 ifconfig_runtime_t:dir watch_sb;
+')
+
+########################################
+## <summary>
+##	Watch the /run/netns directory with fanofiy masks
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_watch_with_perm_netns_dirs',`
+	gen_require(`
+		type ifconfig_runtime_t;
+	')
+
+	allow $1 ifconfig_runtime_t:dir watch_with_perm;
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the /run/netns