2017-02-28 11:05:57

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

This patch includes all the basic stuff for systemd-nspawn. It is NOT enough
to make systemd-nspawn fully functional, I'm not certain it's enough to make
it minimally functional. But I am confident that this is needed.

I've got a bunch of other changes which aren't even ready for my own
development tree.

But I'd like to get this upstream now to give others something to work with
and to get the less controversial changes in so we can have a smaller patch
with more difficult stuff to debate about later. ;)

NB I have not tested this without the previous 2 patches I sent today. Chris
if you reject one of the previous 2 patches then you might want to skip this.
If so I will refresh it and resend it.

Description: systemd-nspawn
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-28

Index: refpolicy-2.20170227/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/init.if
+++ refpolicy-2.20170227/policy/modules/system/init.if
@@ -2,6 +2,24 @@

########################################
## <summary>
+## kill a initrc_t process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_kill_initrc',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigkill;
+')
+
+########################################
+## <summary>
## Create a file type used for init scripts.
## </summary>
## <desc>
@@ -828,6 +846,7 @@ interface(`init_dgram_send',`

dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')

########################################
@@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
@@ -1657,14 +1661,14 @@ interface(`init_startstop_service',`
#
interface(`init_run_daemon',`
gen_require(`
- attribute init_script_file_type;
+ attribute init_script_file_type;
role system_r;
')

allow $2 system_r;

- init_all_labeled_script_domtrans($1)
- role_transition $2 init_script_file_type system_r;
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
')

########################################
@@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',`
## </param>
#
interface(`init_write_pid_socket',`
- gen_require(`
- type init_var_run_t;
- ')
+ gen_require(`
+ type init_var_run_t;
+ ')

- allow $1 init_var_run_t:sock_file write;
+ allow $1 init_var_run_t:sock_file write;
')

########################################
Index: refpolicy-2.20170227/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170227/policy/modules/kernel/devices.if
@@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',`

########################################
## <summary>
+## mounton sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of sysfs filesystem
## </summary>
## <param name="domain">
@@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',`
')

########################################
+## <summary>
+## mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
## <summary>
## Do not audit getting the attributes of sysfs filesystem
## </summary>
Index: refpolicy-2.20170227/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20170227/policy/modules/kernel/kernel.if
@@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',`

########################################
## <summary>
+## mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## remount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
@@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',`

########################################
## <summary>
+## mounton sysctl_kernel_t and sysctl_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_file',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+ allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## mounton proc_kmsg_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kmsg_file',`
+ gen_require(`
+ type proc_t, proc_kmsg_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## mounton sysctl_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dir',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
## Read filesystem sysctls.
## </summary>
## <param name="domain">
@@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',`
')

########################################
+## <summary>
+## mounton proc_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
## <summary>
## Send a kill signal to unlabeled processes.
## </summary>
Index: refpolicy-2.20170227/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170227/policy/modules/system/systemd.if
@@ -7,7 +7,7 @@
## </summary>
## <param name="domain">
## <summary>
-## Type to be used as a log parse environment type.
+## Type to be used as a log parse environment type.
## </summary>
## </param>
#
@@ -25,7 +25,7 @@ interface(`systemd_log_parse_environment
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -45,7 +45,7 @@ interface(`systemd_read_logind_pids',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -65,7 +65,7 @@ interface(`systemd_manage_logind_pid_pip
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -79,12 +79,12 @@ interface(`systemd_use_logind_fds',`

######################################
## <summary>
-## Write inherited logind sessions pipes.
+## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`systemd_write_inherited_logind_sessions_pipes',`
@@ -104,7 +104,7 @@ interface(`systemd_write_inherited_login
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -124,7 +124,7 @@ interface(`systemd_dbus_chat_logind',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -166,7 +166,7 @@ interface(`systemd_tmpfilesd_managed',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -280,7 +280,7 @@ interface(`systemd_read_logind_state',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -299,7 +299,7 @@ interface(`systemd_status_logind',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed access.
## </summary>
## </param>
#
Index: refpolicy-2.20170227/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170227/policy/modules/system/systemd.te
@@ -501,10 +501,96 @@ miscfiles_read_localization(systemd_noti

########################################
#
-# Nspawn local policy
+# nspawn local policy
#

init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+kernel_mount_proc(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_file(systemd_nspawn_t)
+kernel_mounton_kmsg_file(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dir(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_system_state(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+kernel_unconfined(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+dev_getattr_fs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+fs_getattr_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+init_domtrans_script(systemd_nspawn_t)
+init_kill_initrc(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_search_run(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+
+init_spec_domtrans_script(systemd_nspawn_t)
+
+tunable_policy(`systemd_nspawn_labeled_namespace',`
+ corecmd_exec_shell(systemd_nspawn_t)
+ dev_setattr_generic_dirs(systemd_nspawn_t)
+ files_search_home(systemd_nspawn_t)
+ fs_getattr_cgroup(systemd_nspawn_t)
+ fs_manage_cgroup_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_files(systemd_nspawn_t)
+ fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+ fs_mount_cgroup(systemd_nspawn_t)
+ fs_mounton_cgroup(systemd_nspawn_t)
+ fs_mounton_tmpfs(systemd_nspawn_t)
+ fs_remount_cgroup(systemd_nspawn_t)
+ fs_search_tmpfs(systemd_nspawn_t)
+ fs_write_cgroup_files(systemd_nspawn_t)
+ logging_search_logs(systemd_nspawn_t)
+ selinux_getattr_fs(systemd_nspawn_t)
+ selinux_search_fs(systemd_nspawn_t)
+ seutil_search_default_contexts(systemd_nspawn_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+ virt_manage_virt_content(systemd_nspawn_t)
+')

#######################################
#
Index: refpolicy-2.20170227/policy/modules/system/logging.fc
===================================================================
--- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
+++ refpolicy-2.20170227/policy/modules/system/logging.fc
@@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)


2017-03-04 12:16:41

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On 02/28/17 09:12, Russell Coker via refpolicy wrote:
> On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote:
>> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
>>
> ===================================================================
>> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
>> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
>> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
>> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run
>> _t,s0)
>> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
>> /run/log -d gen_context(system_u:object_r:var_log_t,s0-
>> mls_systemhigh)
>> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system
>> high)
>> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r
>> un_t,s0)
>> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
>> un_t,mls_systemhigh)
>> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
>> un_t,mls_systemhigh)
>
> This doesn't really belong in the nspawn patch. The reason it's in is nspawn
> was left after I split everything else into different patches.
>
> It's not a mistake, that labelling of /run/log/journal breaks systemd-journald
> and needs to be removed. When it's removed the entry for /var/run/log/journal
> takes over and gives the desired result. I don't know why /run/log/journal
> gets priority on my system.
>
> We need to fix this /run vs /var/run thing. We need one canonical name and we
> need to change everything to it. Chris, you want me to write a patch to
> change everything to /run?

Yes, I'd take that patch as a standalone. Should I still look at this one?

--
Chris PeBenito

2017-03-04 12:26:34

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sat, Mar 04, 2017 at 07:16:41AM -0500, Chris PeBenito via refpolicy wrote:
> On 02/28/17 09:12, Russell Coker via refpolicy wrote:
> > On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote:
> >> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
> >>
> > ===================================================================
> >> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
> >> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
> >> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
> >> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run
> >> _t,s0)
> >> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
> >> /run/log -d gen_context(system_u:object_r:var_log_t,s0-
> >> mls_systemhigh)
> >> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system
> >> high)
> >> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >> un_t,s0)
> >> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >> un_t,mls_systemhigh)
> >> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >> un_t,mls_systemhigh)
> >
> > This doesn't really belong in the nspawn patch. The reason it's in is nspawn
> > was left after I split everything else into different patches.
> >
> > It's not a mistake, that labelling of /run/log/journal breaks systemd-journald
> > and needs to be removed. When it's removed the entry for /var/run/log/journal
> > takes over and gives the desired result. I don't know why /run/log/journal
> > gets priority on my system.
> >
> > We need to fix this /run vs /var/run thing. We need one canonical name and we
> > need to change everything to it. Chris, you want me to write a patch to
> > change everything to /run?

That might cause issues. SELinux aware programs will use matchpathcon similar functionality to look up the context of the to be created files
They will end up thinking that file needs to be labeled var_t because they still look up using the /var/run path

This is an issue with many tmpfiles snippets but not only that, package managers might fail for the same reason:

/run/netreport:

avc: denied { associate } for pid=13859 comm="dnf" name="netreport" dev="tmpfs" ino=20423 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0

/run/screen:

avc: denied { associate } for pid=13859 comm="dnf" name="screen" dev="tmpfs" ino=20864 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0

Even if var_t would be allowed to associated with xattrfs fs, the files would still end up mislabeled: var_t

>
> Yes, I'd take that patch as a standalone. Should I still look at this one?
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170304/577bd1a7/attachment.bin

2017-03-04 12:29:07

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On 03/04/17 07:26, Dominick Grift via refpolicy wrote:
> On Sat, Mar 04, 2017 at 07:16:41AM -0500, Chris PeBenito via refpolicy wrote:
>> On 02/28/17 09:12, Russell Coker via refpolicy wrote:
>>> On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote:
>>>> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
>>>>
>>> ===================================================================
>>>> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
>>>> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
>>>> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
>>>> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run
>>>> _t,s0)
>>>> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
>>>> /run/log -d gen_context(system_u:object_r:var_log_t,s0-
>>>> mls_systemhigh)
>>>> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system
>>>> high)
>>>> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r
>>>> un_t,s0)
>>>> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
>>>> un_t,mls_systemhigh)
>>>> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
>>>> un_t,mls_systemhigh)
>>>
>>> This doesn't really belong in the nspawn patch. The reason it's in is nspawn
>>> was left after I split everything else into different patches.
>>>
>>> It's not a mistake, that labelling of /run/log/journal breaks systemd-journald
>>> and needs to be removed. When it's removed the entry for /var/run/log/journal
>>> takes over and gives the desired result. I don't know why /run/log/journal
>>> gets priority on my system.
>>>
>>> We need to fix this /run vs /var/run thing. We need one canonical name and we
>>> need to change everything to it. Chris, you want me to write a patch to
>>> change everything to /run?
>
> That might cause issues. SELinux aware programs will use matchpathcon similar functionality to look up the context of the to be created files
> They will end up thinking that file needs to be labeled var_t because they still look up using the /var/run path
>
> This is an issue with many tmpfiles snippets but not only that, package managers might fail for the same reason:
>
> /run/netreport:
>
> avc: denied { associate } for pid=13859 comm="dnf" name="netreport" dev="tmpfs" ino=20423 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0
>
> /run/screen:
>
> avc: denied { associate } for pid=13859 comm="dnf" name="screen" dev="tmpfs" ino=20864 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0
>
> Even if var_t would be allowed to associated with xattrfs fs, the files would still end up mislabeled: var_t

I don't follow what the issue would be. If everything points to /run
and there is a /var/run -> /run substitution, I would think it would
work fine.


--
Chris PeBenito

2017-03-04 13:12:10

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sat, Mar 04, 2017 at 07:29:07AM -0500, Chris PeBenito via refpolicy wrote:
> On 03/04/17 07:26, Dominick Grift via refpolicy wrote:
> > On Sat, Mar 04, 2017 at 07:16:41AM -0500, Chris PeBenito via refpolicy wrote:
> >> On 02/28/17 09:12, Russell Coker via refpolicy wrote:
> >>> On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote:
> >>>> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
> >>>>
> >>> ===================================================================
> >>>> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
> >>>> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
> >>>> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
> >>>> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run
> >>>> _t,s0)
> >>>> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
> >>>> /run/log -d gen_context(system_u:object_r:var_log_t,s0-
> >>>> mls_systemhigh)
> >>>> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system
> >>>> high)
> >>>> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >>>> un_t,s0)
> >>>> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >>>> un_t,mls_systemhigh)
> >>>> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> >>>> un_t,mls_systemhigh)
> >>>
> >>> This doesn't really belong in the nspawn patch. The reason it's in is nspawn
> >>> was left after I split everything else into different patches.
> >>>
> >>> It's not a mistake, that labelling of /run/log/journal breaks systemd-journald
> >>> and needs to be removed. When it's removed the entry for /var/run/log/journal
> >>> takes over and gives the desired result. I don't know why /run/log/journal
> >>> gets priority on my system.
> >>>
> >>> We need to fix this /run vs /var/run thing. We need one canonical name and we
> >>> need to change everything to it. Chris, you want me to write a patch to
> >>> change everything to /run?
> >
> > That might cause issues. SELinux aware programs will use matchpathcon similar functionality to look up the context of the to be created files
> > They will end up thinking that file needs to be labeled var_t because they still look up using the /var/run path
> >
> > This is an issue with many tmpfiles snippets but not only that, package managers might fail for the same reason:
> >
> > /run/netreport:
> >
> > avc: denied { associate } for pid=13859 comm="dnf" name="netreport" dev="tmpfs" ino=20423 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0
> >
> > /run/screen:
> >
> > avc: denied { associate } for pid=13859 comm="dnf" name="screen" dev="tmpfs" ino=20864 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0
> >
> > Even if var_t would be allowed to associated with xattrfs fs, the files would still end up mislabeled: var_t
>
> I don't follow what the issue would be. If everything points to /run
> and there is a /var/run -> /run substitution, I would think it would
> work fine.


Oops yes, sorry, the issue is if you do not add the subs ...

>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170304/b871771c/attachment-0001.bin

2017-03-05 03:35:29

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sat, 4 Mar 2017 11:16:41 PM Chris PeBenito wrote:
> > We need to fix this /run vs /var/run thing. We need one canonical name
> > and we need to change everything to it. Chris, you want me to write a
> > patch to change everything to /run?
>
> Yes, I'd take that patch as a standalone. Should I still look at this one?

Please take the nspawn patch as-is, I've tested it and it builds without the
other patches.

I'll make a /run patch for you.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-03-05 04:41:06

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sat, 4 Mar 2017 11:26:34 PM Dominick Grift via refpolicy wrote:
> > > We need to fix this /run vs /var/run thing. We need one canonical name
> > > and we need to change everything to it. Chris, you want me to write a
> > > patch to change everything to /run?
>
> That might cause issues. SELinux aware programs will use matchpathcon
> similar functionality to look up the context of the to be created files
> They will end up thinking that file needs to be labeled var_t because they
> still look up using the /var/run path

That seems unlikely as it seems that most instances have already been changed.
I just sent the patch to the list and it was surprisingly small.

Applications should use the canonical name which has been /run for some years
now. We can have the subst entry in the upstream policy for a while to cater
for this, but in the long term it should be removed. If there are any apps
that do such lookups with /var/run then I think the correct thing to do is to
have duplicate file_contexts entries for those few files rather than having a
subst entry for the entire system. This means we know which things need to be
fixed.

I'm going to remove that subst entry in the Debian policy regardless of what
is done upstream. I'll make Debian work correctly with /run.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-03-05 05:06:29

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sun, 5 Mar 2017 03:41:06 PM Russell Coker wrote:
> Applications should use the canonical name which has been /run for some
> years now. We can have the subst entry in the upstream policy for a
> while to cater for this, but in the long term it should be removed. If
> there are any apps that do such lookups with /var/run then I think the
> correct thing to do is to have duplicate file_contexts entries for those
> few files rather than having a subst entry for the entire system. This
> means we know which things need to be fixed.

I've just filed Debian bug reports against mon, iodine, screen, and openssh for
having tmpfiles.d entries that used /var/run. I'll file more for any other
daemons that do it.

I think we should all file bugs against packages that use /var/run.

https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html

Above is the explanation of /run that describes changes made in Fedora 6 years
ago! 6 years is more than enough time to complete the migration. If it's not
done yet it's a bug.

grep var/run /usr/lib/tmpfiles.d/*

The above command may show some bug reports you need to file. ;)

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-03-05 07:01:04

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Sun, Mar 05, 2017 at 04:06:29PM +1100, Russell Coker wrote:
> On Sun, 5 Mar 2017 03:41:06 PM Russell Coker wrote:
> > Applications should use the canonical name which has been /run for some
> > years now. We can have the subst entry in the upstream policy for a
> > while to cater for this, but in the long term it should be removed. If
> > there are any apps that do such lookups with /var/run then I think the
> > correct thing to do is to have duplicate file_contexts entries for those
> > few files rather than having a subst entry for the entire system. This
> > means we know which things need to be fixed.
>
> I've just filed Debian bug reports against mon, iodine, screen, and openssh for
> having tmpfiles.d entries that used /var/run. I'll file more for any other
> daemons that do it.
>
> I think we should all file bugs against packages that use /var/run.
>
> https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html
>
> Above is the explanation of /run that describes changes made in Fedora 6 years
> ago! 6 years is more than enough time to complete the migration. If it's not
> done yet it's a bug.
>
> grep var/run /usr/lib/tmpfiles.d/*
>
> The above command may show some bug reports you need to file. ;)

also do: grep var/run/ /usr/lib/systemd/system/*.socket

socket activated sockets specified with /var/run will also be created with the wrong context

>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170305/934ab265/attachment.bin

2017-03-05 13:43:39

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On 02/28/17 06:05, Russell Coker via refpolicy wrote:
> This patch includes all the basic stuff for systemd-nspawn. It is NOT enough
> to make systemd-nspawn fully functional, I'm not certain it's enough to make
> it minimally functional. But I am confident that this is needed.
>
> I've got a bunch of other changes which aren't even ready for my own
> development tree.
>
> But I'd like to get this upstream now to give others something to work with
> and to get the less controversial changes in so we can have a smaller patch
> with more difficult stuff to debate about later. ;)
>
> NB I have not tested this without the previous 2 patches I sent today. Chris
> if you reject one of the previous 2 patches then you might want to skip this.
> If so I will refresh it and resend it.

A few trivial changes requested below.


> Description: systemd-nspawn
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-28
>
> Index: refpolicy-2.20170227/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170227/policy/modules/system/init.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## kill a initrc_t process
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_kill_initrc',`

init_kill_script()

> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process sigkill;
> +')
> +
> +########################################
> +## <summary>
> ## Create a file type used for init scripts.
> ## </summary>
> ## <desc>
> @@ -828,6 +846,7 @@ interface(`init_dgram_send',`
>
> dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
> files_search_pids($1)
> + allow $1 init_t:unix_stream_socket getattr;
> ')
>
> ########################################
> @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',`
> ## Domain allowed access.
> ## </summary>
> ## </param>
> -## <param name="file_type">
> -## <summary>
> -## The type of the object to be created
> -## </summary>
> -## </param>
> -## <param name="object_class">
> -## <summary>
> -## The object class.
> -## </summary>
> -## </param>
> -## <param name="name" optional="true">
> -## <summary>
> -## The name of the object being created.
> -## </summary>
> -## </param>
> #
> interface(`init_manage_var_lib_files',`
> gen_require(`
> @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',`
> #
> interface(`init_run_daemon',`
> gen_require(`
> - attribute init_script_file_type;
> + attribute init_script_file_type;
> role system_r;
> ')
>
> allow $2 system_r;
>
> - init_all_labeled_script_domtrans($1)
> - role_transition $2 init_script_file_type system_r;
> + init_all_labeled_script_domtrans($1)
> + role_transition $2 init_script_file_type system_r;
> ')
>
> ########################################
> @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',`
> ## </param>
> #
> interface(`init_write_pid_socket',`
> - gen_require(`
> - type init_var_run_t;
> - ')
> + gen_require(`
> + type init_var_run_t;
> + ')
>
> - allow $1 init_var_run_t:sock_file write;
> + allow $1 init_var_run_t:sock_file write;
> ')
>
> ########################################
> Index: refpolicy-2.20170227/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170227/policy/modules/kernel/devices.if
> @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',`
>
> ########################################
> ## <summary>
> +## mounton sysfs directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of sysfs filesystem
> ## </summary>
> ## <param name="domain">
> @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',`
> ')
>
> ########################################
> +## <summary>
> +## mount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit getting the attributes of sysfs filesystem
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/kernel/kernel.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/kernel/kernel.if
> +++ refpolicy-2.20170227/policy/modules/kernel/kernel.if
> @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',`
>
> ########################################
> ## <summary>
> +## mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> +## remount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_remount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem remount;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of the proc filesystem.
> ## </summary>
> ## <param name="domain">
> @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',`
>
> ########################################
> ## <summary>
> +## mounton sysctl_kernel_t and sysctl_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_kernel_sysctl_file',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_t;
> + ')
> +
> + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
> + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton };

I'd prefer to at least split this into two mounton interfaces, one for
sysctl_t and one for sysctl_kernel_t.


> +')
> +
> +########################################
> +## <summary>
> +## mounton proc_kmsg_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_kmsg_file',`
> + gen_require(`
> + type proc_t, proc_kmsg_t;
> + ')
> +
> + allow $1 proc_t:dir list_dir_perms;
> + allow $1 proc_kmsg_t:file { getattr mounton };
> +')
> +
> +########################################
> +## <summary>
> +## mounton sysctl_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_sysctl_dir',`
> + gen_require(`
> + type proc_t, sysctl_t;
> + ')
> +
> + allow $1 proc_t:dir list_dir_perms;
> + allow $1 sysctl_t:dir { getattr mounton };
> +')
> +
> +########################################
> +## <summary>
> ## Read filesystem sysctls.
> ## </summary>
> ## <param name="domain">
> @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',`
> ')
>
> ########################################
> +## <summary>
> +## mounton proc_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Send a kill signal to unlabeled processes.
> ## </summary>
> Index: refpolicy-2.20170227/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170227/policy/modules/system/systemd.if
> @@ -7,7 +7,7 @@
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Type to be used as a log parse environment type.
> +## Type to be used as a log parse environment type.
> ## </summary>
> ## </param>
> #
> @@ -25,7 +25,7 @@ interface(`systemd_log_parse_environment
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> @@ -45,7 +45,7 @@ interface(`systemd_read_logind_pids',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> @@ -65,7 +65,7 @@ interface(`systemd_manage_logind_pid_pip
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> @@ -79,12 +79,12 @@ interface(`systemd_use_logind_fds',`
>
> ######################################
> ## <summary>
> -## Write inherited logind sessions pipes.
> +## Write inherited logind sessions pipes.
> ## </summary>
> ## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> ## </param>
> #
> interface(`systemd_write_inherited_logind_sessions_pipes',`
> @@ -104,7 +104,7 @@ interface(`systemd_write_inherited_login
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> @@ -124,7 +124,7 @@ interface(`systemd_dbus_chat_logind',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> ## <rolecap/>
> @@ -166,7 +166,7 @@ interface(`systemd_tmpfilesd_managed',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> ## <rolecap/>
> @@ -280,7 +280,7 @@ interface(`systemd_read_logind_state',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> @@ -299,7 +299,7 @@ interface(`systemd_status_logind',`
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> Index: refpolicy-2.20170227/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170227/policy/modules/system/systemd.te
> @@ -501,10 +501,96 @@ miscfiles_read_localization(systemd_noti
>
> ########################################
> #
> -# Nspawn local policy
> +# nspawn local policy
> #
>
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
> +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
> +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
> +allow systemd_nspawn_t self:capability2 wake_alarm;
> +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> +
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
> +
> +allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
> +allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
> +
> +# for /run/systemd/nspawn/incoming in chroot
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
> +
> +kernel_mount_proc(systemd_nspawn_t)
> +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t)
> +kernel_mounton_kmsg_file(systemd_nspawn_t)
> +kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_dir(systemd_nspawn_t)
> +kernel_read_kernel_sysctls(systemd_nspawn_t)
> +kernel_read_system_state(systemd_nspawn_t)
> +kernel_remount_proc(systemd_nspawn_t)
> +kernel_unconfined(systemd_nspawn_t)
> +
> +corecmd_exec_shell(systemd_nspawn_t)
> +corecmd_search_bin(systemd_nspawn_t)
> +corenet_rw_tun_tap_dev(systemd_nspawn_t)
> +dev_getattr_fs(systemd_nspawn_t)
> +dev_manage_sysfs_dirs(systemd_nspawn_t)
> +dev_mounton_sysfs_dirs(systemd_nspawn_t)
> +dev_mount_sysfs(systemd_nspawn_t)
> +dev_read_rand(systemd_nspawn_t)
> +dev_read_urand(systemd_nspawn_t)
> +files_manage_etc_files(systemd_nspawn_t)
> +files_manage_mnt_dirs(systemd_nspawn_t)
> +files_mounton_mnt(systemd_nspawn_t)
> +files_mounton_tmp(systemd_nspawn_t)
> +fs_getattr_tmpfs(systemd_nspawn_t)
> +fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> +fs_mount_tmpfs(systemd_nspawn_t)
> +fs_remount_tmpfs(systemd_nspawn_t)
> +init_domtrans_script(systemd_nspawn_t)
> +init_kill_initrc(systemd_nspawn_t)
> +init_read_state(systemd_nspawn_t)
> +init_search_run(systemd_nspawn_t)
> +init_write_pid_socket(systemd_nspawn_t)
> +# for writing inside chroot
> +sysnet_manage_config(systemd_nspawn_t)
> +
> +term_getattr_generic_ptys(systemd_nspawn_t)
> +term_getattr_pty_fs(systemd_nspawn_t)
> +term_search_ptys(systemd_nspawn_t)
> +term_setattr_generic_ptys(systemd_nspawn_t)
> +term_use_ptmx(systemd_nspawn_t)
> +userdom_manage_user_home_dirs(systemd_nspawn_t)

Some empty lines needed above and in the tunable below.

> +init_spec_domtrans_script(systemd_nspawn_t)
> +
> +tunable_policy(`systemd_nspawn_labeled_namespace',`
> + corecmd_exec_shell(systemd_nspawn_t)
> + dev_setattr_generic_dirs(systemd_nspawn_t)
> + files_search_home(systemd_nspawn_t)
> + fs_getattr_cgroup(systemd_nspawn_t)
> + fs_manage_cgroup_dirs(systemd_nspawn_t)
> + fs_manage_tmpfs_dirs(systemd_nspawn_t)
> + fs_manage_tmpfs_files(systemd_nspawn_t)
> + fs_manage_tmpfs_symlinks(systemd_nspawn_t)
> + fs_mount_cgroup(systemd_nspawn_t)
> + fs_mounton_cgroup(systemd_nspawn_t)
> + fs_mounton_tmpfs(systemd_nspawn_t)
> + fs_remount_cgroup(systemd_nspawn_t)
> + fs_search_tmpfs(systemd_nspawn_t)
> + fs_write_cgroup_files(systemd_nspawn_t)
> + logging_search_logs(systemd_nspawn_t)
> + selinux_getattr_fs(systemd_nspawn_t)
> + selinux_search_fs(systemd_nspawn_t)
> + seutil_search_default_contexts(systemd_nspawn_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_nspawn_t)
> +')
> +
> +optional_policy(`
> + virt_manage_virt_content(systemd_nspawn_t)
> +')
>
> #######################################
> #
> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
> ===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
> /run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_systemhigh)
> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)



--
Chris PeBenito

2017-02-28 14:12:08

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd-nspawn

On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote:
> Index: refpolicy-2.20170227/policy/modules/system/logging.fc
>
===================================================================
> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc
> +++ refpolicy-2.20170227/policy/modules/system/logging.fc
> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',`
> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run
> _t,s0)
> /run/log -s gen_context(system_u:object_r:devlog_t,s0)
> /run/log -d gen_context(system_u:object_r:var_log_t,s0-
> mls_systemhigh)
> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system
> high)
> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r
> un_t,s0)
> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> un_t,mls_systemhigh)
> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r
> un_t,mls_systemhigh)

This doesn't really belong in the nspawn patch. The reason it's in is nspawn
was left after I split everything else into different patches.

It's not a mistake, that labelling of /run/log/journal breaks systemd-journald
and needs to be removed. When it's removed the entry for /var/run/log/journal
takes over and gives the desired result. I don't know why /run/log/journal
gets priority on my system.

We need to fix this /run vs /var/run thing. We need one canonical name and we
need to change everything to it. Chris, you want me to write a patch to
change everything to /run?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/