From: russell@coker.com.au (Russell Coker) Date: Tue, 28 Feb 2017 22:05:57 +1100 Subject: [refpolicy] [PATCH] systemd-nspawn Message-ID: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch includes all the basic stuff for systemd-nspawn. It is NOT enough to make systemd-nspawn fully functional, I'm not certain it's enough to make it minimally functional. But I am confident that this is needed. I've got a bunch of other changes which aren't even ready for my own development tree. But I'd like to get this upstream now to give others something to work with and to get the less controversial changes in so we can have a smaller patch with more difficult stuff to debate about later. ;) NB I have not tested this without the previous 2 patches I sent today. Chris if you reject one of the previous 2 patches then you might want to skip this. If so I will refresh it and resend it. Description: systemd-nspawn Author: Russell Coker Last-Update: 2017-02-28 Index: refpolicy-2.20170227/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/init.if +++ refpolicy-2.20170227/policy/modules/system/init.if @@ -2,6 +2,24 @@ ######################################## ## +## kill a initrc_t process +## +## +## +## Domain allowed access. +## +## +# +interface(`init_kill_initrc',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process sigkill; +') + +######################################## +## ## Create a file type used for init scripts. ## ## @@ -828,6 +846,7 @@ interface(`init_dgram_send',` dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) files_search_pids($1) + allow $1 init_t:unix_stream_socket getattr; ') ######################################## @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',` ## Domain allowed access. ## ## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## # interface(`init_manage_var_lib_files',` gen_require(` @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',` # interface(`init_run_daemon',` gen_require(` - attribute init_script_file_type; + attribute init_script_file_type; role system_r; ') allow $2 system_r; - init_all_labeled_script_domtrans($1) - role_transition $2 init_script_file_type system_r; + init_all_labeled_script_domtrans($1) + role_transition $2 init_script_file_type system_r; ') ######################################## @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',` ## # interface(`init_write_pid_socket',` - gen_require(` - type init_var_run_t; - ') + gen_require(` + type init_var_run_t; + ') - allow $1 init_var_run_t:sock_file write; + allow $1 init_var_run_t:sock_file write; ') ######################################## Index: refpolicy-2.20170227/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170227/policy/modules/kernel/devices.if @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +## mounton sysfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mounton_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## +## ## Get the attributes of sysfs filesystem ## ## @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',` ') ######################################## +## +## mount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## ## ## Do not audit getting the attributes of sysfs filesystem ## Index: refpolicy-2.20170227/policy/modules/kernel/kernel.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/kernel/kernel.if +++ refpolicy-2.20170227/policy/modules/kernel/kernel.if @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',` ######################################## ## +## mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## +## remount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_remount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem remount; +') + +######################################## +## ## Get the attributes of the proc filesystem. ## ## @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',` ######################################## ## +## mounton sysctl_kernel_t and sysctl_t files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_kernel_sysctl_file',` + gen_require(` + type proc_t, sysctl_t, sysctl_kernel_t; + ') + + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton }; +') + +######################################## +## +## mounton proc_kmsg_t files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_kmsg_file',` + gen_require(` + type proc_t, proc_kmsg_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 proc_kmsg_t:file { getattr mounton }; +') + +######################################## +## +## mounton sysctl_t dirs +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_sysctl_dir',` + gen_require(` + type proc_t, sysctl_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 sysctl_t:dir { getattr mounton }; +') + +######################################## +## ## Read filesystem sysctls. ## ## @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',` ') ######################################## +## +## mounton proc_t dirs +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## ## ## Send a kill signal to unlabeled processes. ## Index: refpolicy-2.20170227/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/systemd.if +++ refpolicy-2.20170227/policy/modules/system/systemd.if @@ -7,7 +7,7 @@ ## ## ## -## Type to be used as a log parse environment type. +## Type to be used as a log parse environment type. ## ## # @@ -25,7 +25,7 @@ interface(`systemd_log_parse_environment ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # @@ -45,7 +45,7 @@ interface(`systemd_read_logind_pids',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # @@ -65,7 +65,7 @@ interface(`systemd_manage_logind_pid_pip ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # @@ -79,12 +79,12 @@ interface(`systemd_use_logind_fds',` ###################################### ## -## Write inherited logind sessions pipes. +## Write inherited logind sessions pipes. ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # interface(`systemd_write_inherited_logind_sessions_pipes',` @@ -104,7 +104,7 @@ interface(`systemd_write_inherited_login ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # @@ -124,7 +124,7 @@ interface(`systemd_dbus_chat_logind',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## ## @@ -166,7 +166,7 @@ interface(`systemd_tmpfilesd_managed',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## ## @@ -280,7 +280,7 @@ interface(`systemd_read_logind_state',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # @@ -299,7 +299,7 @@ interface(`systemd_status_logind',` ## ## ## -## Domain allowed access. +## Domain allowed access. ## ## # Index: refpolicy-2.20170227/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170227/policy/modules/system/systemd.te @@ -501,10 +501,96 @@ miscfiles_read_localization(systemd_noti ######################################## # -# Nspawn local policy +# nspawn local policy # init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:capability2 wake_alarm; +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; + +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; + +allow systemd_nspawn_t systemd_machined_t:dbus send_msg; +allow systemd_machined_t systemd_nspawn_t:dbus send_msg; + +# for /run/systemd/nspawn/incoming in chroot +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; + +kernel_mount_proc(systemd_nspawn_t) +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t) +kernel_mounton_kmsg_file(systemd_nspawn_t) +kernel_mounton_proc(systemd_nspawn_t) +kernel_mounton_sysctl_dir(systemd_nspawn_t) +kernel_read_kernel_sysctls(systemd_nspawn_t) +kernel_read_system_state(systemd_nspawn_t) +kernel_remount_proc(systemd_nspawn_t) +kernel_unconfined(systemd_nspawn_t) + +corecmd_exec_shell(systemd_nspawn_t) +corecmd_search_bin(systemd_nspawn_t) +corenet_rw_tun_tap_dev(systemd_nspawn_t) +dev_getattr_fs(systemd_nspawn_t) +dev_manage_sysfs_dirs(systemd_nspawn_t) +dev_mounton_sysfs_dirs(systemd_nspawn_t) +dev_mount_sysfs(systemd_nspawn_t) +dev_read_rand(systemd_nspawn_t) +dev_read_urand(systemd_nspawn_t) +files_manage_etc_files(systemd_nspawn_t) +files_manage_mnt_dirs(systemd_nspawn_t) +files_mounton_mnt(systemd_nspawn_t) +files_mounton_tmp(systemd_nspawn_t) +fs_getattr_tmpfs(systemd_nspawn_t) +fs_manage_tmpfs_chr_files(systemd_nspawn_t) +fs_mount_tmpfs(systemd_nspawn_t) +fs_remount_tmpfs(systemd_nspawn_t) +init_domtrans_script(systemd_nspawn_t) +init_kill_initrc(systemd_nspawn_t) +init_read_state(systemd_nspawn_t) +init_search_run(systemd_nspawn_t) +init_write_pid_socket(systemd_nspawn_t) +# for writing inside chroot +sysnet_manage_config(systemd_nspawn_t) + +term_getattr_generic_ptys(systemd_nspawn_t) +term_getattr_pty_fs(systemd_nspawn_t) +term_search_ptys(systemd_nspawn_t) +term_setattr_generic_ptys(systemd_nspawn_t) +term_use_ptmx(systemd_nspawn_t) +userdom_manage_user_home_dirs(systemd_nspawn_t) + +init_spec_domtrans_script(systemd_nspawn_t) + +tunable_policy(`systemd_nspawn_labeled_namespace',` + corecmd_exec_shell(systemd_nspawn_t) + dev_setattr_generic_dirs(systemd_nspawn_t) + files_search_home(systemd_nspawn_t) + fs_getattr_cgroup(systemd_nspawn_t) + fs_manage_cgroup_dirs(systemd_nspawn_t) + fs_manage_tmpfs_dirs(systemd_nspawn_t) + fs_manage_tmpfs_files(systemd_nspawn_t) + fs_manage_tmpfs_symlinks(systemd_nspawn_t) + fs_mount_cgroup(systemd_nspawn_t) + fs_mounton_cgroup(systemd_nspawn_t) + fs_mounton_tmpfs(systemd_nspawn_t) + fs_remount_cgroup(systemd_nspawn_t) + fs_search_tmpfs(systemd_nspawn_t) + fs_write_cgroup_files(systemd_nspawn_t) + logging_search_logs(systemd_nspawn_t) + selinux_getattr_fs(systemd_nspawn_t) + selinux_search_fs(systemd_nspawn_t) + seutil_search_default_contexts(systemd_nspawn_t) +') + +optional_policy(` + dbus_system_bus_client(systemd_nspawn_t) +') + +optional_policy(` + virt_manage_virt_content(systemd_nspawn_t) +') ####################################### # Index: refpolicy-2.20170227/policy/modules/system/logging.fc =================================================================== --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc +++ refpolicy-2.20170227/policy/modules/system/logging.fc @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /run/log -s gen_context(system_u:object_r:devlog_t,s0) /run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_systemhigh) /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)