From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 11 Jan 2016 13:27:23 -0500
Subject: [refpolicy] [PATCH] Allow systemd services to use
 PrivateNetwork feature
In-Reply-To: <1452536095-8579-1-git-send-email-nicolas.iooss@m4x.org>
References: <1452536095-8579-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <5693F40B.9070102@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
> systemd creates a new network namespace for services which are using
> PrivateNetwork=yes.
> 
> In the implementation, systemd uses a socketpair as a storage buffer for
> the namespace reference file descriptor (c.f.
> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
> One end of this socketpair is locked (hence the need of "lock" access to
> self:unix_dgram_socket for init_t) while systemd opens
> /proc/self/ns/net, which lives in nsfs.
> 
> While at it, add filesystem_type attribute to nsfs_t.

Merged.



> ---
>  policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
>  policy/modules/kernel/filesystem.te |  1 +
>  policy/modules/system/init.te       |  3 +++
>  3 files changed, 21 insertions(+)
> 
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 99ad71f926b4..3455c2270942 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>  
>  ########################################
>  ## <summary>
> +##	Read nsfs inodes (e.g. /proc/pid/ns/uts)
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_read_nsfs_files',`
> +	gen_require(`
> +		type nsfs_t;
> +	')
> +
> +	allow $1 nsfs_t:file read_file_perms;
> +')
> +########################################
> +## <summary>
>  ##	Getattr on pstore dirs.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 920527ca9995..ae44d92f4f10 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
>  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>  
>  type nsfs_t;
> +fs_type(nsfs_t)
>  genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>  
>  type oprofilefs_t;
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index ea5530f55689..78031010d38c 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
>  	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>  	allow init_t self:netlink_route_socket create_netlink_socket_perms;
>  	allow init_t self:netlink_selinux_socket create_socket_perms;
> +	allow init_t self:unix_dgram_socket lock;
>  
>  	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>  	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
>  	# mount-setup
>  	fs_unmount_autofs(init_t)
>  	fs_getattr_pstore_dirs(init_t)
> +	# for network namespaces
> +	fs_read_nsfs_files(init_t)
>  
>  	# systemd_socket_activated policy
>  	mls_socket_write_all_levels(init_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com