Vagrantfile: add a specific SELinux policy module

When using Vagrant to run virtual machines with SELinux enabled, several
specific accesses need to be allowed. It does not make much sense to add
the needed rules to the refpolicy, as they are very specific to the use
of Vagrant to provision a virtual machine to test a policy. Therefore,
create a dedicated module to allow the required accesses.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/support/vagrant-vm.cil b/support/vagrant-vm.cil
new file mode 100644
index 000000000..b969ffda1
--- /dev/null
+++ b/support/vagrant-vm.cil
@@ -0,0 +1,21 @@
+; SELinux policy module for running virtual machines with Vagrant
+
+; Vagrant performs "ssh sudo ..." without allocating a pseudo-terminal.
+; This leads sudo to directly using sshd pipes, as well as other processes
+; spawned from the provision scripts. Define an attribute for those processes.
+(typeattribute vagrant_provisioning_cmd_type)
+(typeattributeset vagrant_provisioning_cmd_type (
+    load_policy_t
+    semanage_t
+    setfiles_t
+    sudodomain
+))
+(allow vagrant_provisioning_cmd_type sshd_t (fifo_file (append getattr ioctl read write)))
+
+; "vagrant rsync" makes Vagrant invoke "sudo rsync" without a shell which would
+; make sudo transition out of sysadm_sudo_t.
+; Therefore add a transition from sysadm_sudo_t to sysadm_t through rsync_exec_t
+(optional sysadm_sudo_rsync_transition
+    (allow sysadm_t rsync_exec_t (file (entrypoint)))
+    (typetransition sysadm_sudo_t rsync_exec_t process sysadm_t)
+)