From: lvrabec@redhat.com (Lukas Vrabec)
Date: Tue, 19 Jan 2016 12:30:48 +0100
Subject: [refpolicy] [PATCH] Allow systemd services to use
 PrivateNetwork feature
In-Reply-To: <5693F4F9.5040703@redhat.com>
References: <1452536095-8579-1-git-send-email-nicolas.iooss@m4x.org>
	<5693F40B.9070102@tresys.com> <5693F4F9.5040703@redhat.com>
Message-ID: <569E1E68.40201@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/11/2016 07:31 PM, Miroslav Grepl wrote:
> On 01/11/2016 07:27 PM, Christopher J. PeBenito wrote:
>> On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
>>> systemd creates a new network namespace for services which are using
>>> PrivateNetwork=yes.
>>>
>>> In the implementation, systemd uses a socketpair as a storage buffer for
>>> the namespace reference file descriptor (c.f.
>>> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
>>> One end of this socketpair is locked (hence the need of "lock" access to
>>> self:unix_dgram_socket for init_t) while systemd opens
>>> /proc/self/ns/net, which lives in nsfs.
>>>
>>> While at it, add filesystem_type attribute to nsfs_t.
>>
>> Merged.
>
> Lukas,
> could play around and make this change also for Fedora bugs to see if it
> works as expected?
>


Fixes available for Fedora 23 and Fedora Rawhide here:
http://koji.fedoraproject.org/koji/buildinfo?buildID=712094
http://koji.fedoraproject.org/koji/buildinfo?buildID=712091


> Nicolas,
> thank you for patches.
>
>>
>>
>>
>>> ---
>>>   policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
>>>   policy/modules/kernel/filesystem.te |  1 +
>>>   policy/modules/system/init.te       |  3 +++
>>>   3 files changed, 21 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
>>> index 99ad71f926b4..3455c2270942 100644
>>> --- a/policy/modules/kernel/filesystem.if
>>> +++ b/policy/modules/kernel/filesystem.if
>>> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>>>
>>>   ########################################
>>>   ## <summary>
>>> +##	Read nsfs inodes (e.g. /proc/pid/ns/uts)
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`fs_read_nsfs_files',`
>>> +	gen_require(`
>>> +		type nsfs_t;
>>> +	')
>>> +
>>> +	allow $1 nsfs_t:file read_file_perms;
>>> +')
>>> +########################################
>>> +## <summary>
>>>   ##	Getattr on pstore dirs.
>>>   ## </summary>
>>>   ## <param name="domain">
>>> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
>>> index 920527ca9995..ae44d92f4f10 100644
>>> --- a/policy/modules/kernel/filesystem.te
>>> +++ b/policy/modules/kernel/filesystem.te
>>> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
>>>   genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>>>
>>>   type nsfs_t;
>>> +fs_type(nsfs_t)
>>>   genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>>>
>>>   type oprofilefs_t;
>>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>>> index ea5530f55689..78031010d38c 100644
>>> --- a/policy/modules/system/init.te
>>> +++ b/policy/modules/system/init.te
>>> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
>>>   	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>>>   	allow init_t self:netlink_route_socket create_netlink_socket_perms;
>>>   	allow init_t self:netlink_selinux_socket create_socket_perms;
>>> +	allow init_t self:unix_dgram_socket lock;
>>>
>>>   	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>>>   	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
>>> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
>>>   	# mount-setup
>>>   	fs_unmount_autofs(init_t)
>>>   	fs_getattr_pstore_dirs(init_t)
>>> +	# for network namespaces
>>> +	fs_read_nsfs_files(init_t)
>>>
>>>   	# systemd_socket_activated policy
>>>   	mls_socket_write_all_levels(init_t)
>>>
>>
>>
>
>


-- 
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.