From 47a2a110affa8f382a173f5d7a61035450f58558 Mon Sep 17 00:00:00 2001
From: nabdullindfinity <135595192+nabdullindfinity@users.noreply.github.com>
Date: Fri, 8 Nov 2024 17:50:41 +0100
Subject: [PATCH] fix(NODE-1522): fix permissions for nftables and
 systemd-journald (#2488)

- Allow `nftables` (`nft`) to read from `/dev/urandom`
- Allow `systemd-journald` to access procfs symlinks of the canister
sandbox process (it is already allowed to access the actual process to
log its errors, etc.)
---
 ic-os/components/selinux/ic-node/ic-node.te       | 1 +
 ic-os/components/selinux/misc-fixes/misc-fixes.te | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/ic-os/components/selinux/ic-node/ic-node.te b/ic-os/components/selinux/ic-node/ic-node.te
index 3feaab8fc3b..d44e8719987 100644
--- a/ic-os/components/selinux/ic-node/ic-node.te
+++ b/ic-os/components/selinux/ic-node/ic-node.te
@@ -370,6 +370,7 @@ allow unconfined_domain_type ic_canister_sandbox_t : process *;
 require { type syslogd_t; }
 allow syslogd_t ic_canister_sandbox_t : dir { getattr open read search };
 allow syslogd_t ic_canister_sandbox_t : file { open read getattr ioctl};
+allow syslogd_t ic_canister_sandbox_t : lnk_file { open read getattr ioctl};
 allow syslogd_t ic_canister_sandbox_t : process { getattr };
 
 # Allow interacting with our own executable.
diff --git a/ic-os/components/selinux/misc-fixes/misc-fixes.te b/ic-os/components/selinux/misc-fixes/misc-fixes.te
index 3ebfe2d2fbd..544c296414f 100644
--- a/ic-os/components/selinux/misc-fixes/misc-fixes.te
+++ b/ic-os/components/selinux/misc-fixes/misc-fixes.te
@@ -84,3 +84,9 @@ search_dirs_pattern(ssh_keygen_t, locale_t, locale_t)
 # go to a different policy module.
 search_dirs_pattern(ssh_keygen_t, tmp_t, tmp_t)
 manage_files_pattern(ssh_keygen_t, initrc_tmp_t, initrc_tmp_t)
+
+###############################################################################
+# nftables
+# allow reading from /dev/urandom
+require { type iptables_t; }
+dev_read_urand(iptables_t)
\ No newline at end of file