add incusd_stream_connect interface to incus

and add rule to other modules taht need to talk
to incusd

Signed-off-by: Marc Schiffbauer <[email protected]>

policy/modules/apps/qemu.te

@@ -51,6 +51,8 @@ tunable_policy(`qemu_full_network',`
 optional_policy(`
 	# make this a tunable?
 
+	incusd_stream_connect(qemu_t)
+
 	files_create_generic_tmp_sockets(qemu_t)
 
 	kernel_read_kernel_sysctls(qemu_t)

policy/modules/roles/sysadm.te

@@ -505,6 +505,10 @@ optional_policy(`
 	ifplugd_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	incusd_stream_connect(sysadm_t)
+')
+
 optional_policy(`
 	inn_admin(sysadm_t, sysadm_r)
 ')

policy/modules/services/dnsmasq.te

@@ -103,6 +103,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	incusd_stream_connect(dnsmasq_t)
 	container_manage_var_lib_files(dnsmasq_t)
 	container_manage_log_files(dnsmasq_t)
 	container_search_var_lib(dnsmasq_t)

policy/modules/services/incus.if

@@ -235,3 +235,21 @@ interface(`incus_admin',`
 		rootlesskit_run($1, $2)
 	')
 ')
+
+########################################
+## <summary>
+##	Connect to the incus daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+interface(`incusd_stream_connect',`
+        gen_require(`
+                type incusd_t;
+        ')
+
+	allow $1 incusd_t:unix_stream_socket { rw_socket_perms connectto };
+')

policy/modules/services/zfs.te

@@ -147,6 +147,11 @@ optional_policy(`
 	fstools_runtime_filetrans(zfs_t, dir, "blkid")
 ')
 
+optional_policy(`
+	# required when incusd is using zfs as storage backend
+	incusd_stream_connect(zfs_t)
+')
+
 optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)
 

policy/modules/system/iptables.te

@@ -128,6 +128,10 @@ optional_policy(`
 	firstboot_rw_pipes(iptables_t)
 ')
 
+optional_policy(`
+	incusd_stream_connect(iptables_t)
+')
+
 optional_policy(`
 	# apply firewall rules from multus
 	kubernetes_rw_container_engine_fifo_files(iptables_t)