From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 5 Mar 2017 08:43:39 -0500 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/28/17 06:05, Russell Coker via refpolicy wrote: > This patch includes all the basic stuff for systemd-nspawn. It is NOT enough > to make systemd-nspawn fully functional, I'm not certain it's enough to make > it minimally functional. But I am confident that this is needed. > > I've got a bunch of other changes which aren't even ready for my own > development tree. > > But I'd like to get this upstream now to give others something to work with > and to get the less controversial changes in so we can have a smaller patch > with more difficult stuff to debate about later. ;) > > NB I have not tested this without the previous 2 patches I sent today. Chris > if you reject one of the previous 2 patches then you might want to skip this. > If so I will refresh it and resend it. A few trivial changes requested below. > Description: systemd-nspawn > Author: Russell Coker > Last-Update: 2017-02-28 > > Index: refpolicy-2.20170227/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/system/init.if > +++ refpolicy-2.20170227/policy/modules/system/init.if > @@ -2,6 +2,24 @@ > > ######################################## > ## > +## kill a initrc_t process > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_kill_initrc',` init_kill_script() > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process sigkill; > +') > + > +######################################## > +## > ## Create a file type used for init scripts. > ## > ## > @@ -828,6 +846,7 @@ interface(`init_dgram_send',` > > dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) > files_search_pids($1) > + allow $1 init_t:unix_stream_socket getattr; > ') > > ######################################## > @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',` > ## Domain allowed access. > ## > ## > -## > -## > -## The type of the object to be created > -## > -## > -## > -## > -## The object class. > -## > -## > -## > -## > -## The name of the object being created. > -## > -## > # > interface(`init_manage_var_lib_files',` > gen_require(` > @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',` > # > interface(`init_run_daemon',` > gen_require(` > - attribute init_script_file_type; > + attribute init_script_file_type; > role system_r; > ') > > allow $2 system_r; > > - init_all_labeled_script_domtrans($1) > - role_transition $2 init_script_file_type system_r; > + init_all_labeled_script_domtrans($1) > + role_transition $2 init_script_file_type system_r; > ') > > ######################################## > @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',` > ## > # > interface(`init_write_pid_socket',` > - gen_require(` > - type init_var_run_t; > - ') > + gen_require(` > + type init_var_run_t; > + ') > > - allow $1 init_var_run_t:sock_file write; > + allow $1 init_var_run_t:sock_file write; > ') > > ######################################## > Index: refpolicy-2.20170227/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170227/policy/modules/kernel/devices.if > @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',` > > ######################################## > ## > +## mounton sysfs directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mounton_sysfs_dirs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:dir mounton; > +') > + > +######################################## > +## > ## Get the attributes of sysfs filesystem > ## > ## > @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',` > ') > > ######################################## > +## > +## mount a sysfs filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem mount; > +') > + > +######################################## > ## > ## Do not audit getting the attributes of sysfs filesystem > ## > Index: refpolicy-2.20170227/policy/modules/kernel/kernel.if > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/kernel/kernel.if > +++ refpolicy-2.20170227/policy/modules/kernel/kernel.if > @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',` > > ######################################## > ## > +## mount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_mount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem mount; > +') > + > +######################################## > +## > +## remount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_remount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem remount; > +') > + > +######################################## > +## > ## Get the attributes of the proc filesystem. > ## > ## > @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',` > > ######################################## > ## > +## mounton sysctl_kernel_t and sysctl_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_kernel_sysctl_file',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_kernel_t; > + ') > + > + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; > + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton }; I'd prefer to at least split this into two mounton interfaces, one for sysctl_t and one for sysctl_kernel_t. > +') > + > +######################################## > +## > +## mounton proc_kmsg_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_kmsg_file',` > + gen_require(` > + type proc_t, proc_kmsg_t; > + ') > + > + allow $1 proc_t:dir list_dir_perms; > + allow $1 proc_kmsg_t:file { getattr mounton }; > +') > + > +######################################## > +## > +## mounton sysctl_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_sysctl_dir',` > + gen_require(` > + type proc_t, sysctl_t; > + ') > + > + allow $1 proc_t:dir list_dir_perms; > + allow $1 sysctl_t:dir { getattr mounton }; > +') > + > +######################################## > +## > ## Read filesystem sysctls. > ## > ## > @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',` > ') > > ######################################## > +## > +## mounton proc_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:dir mounton; > +') > + > +######################################## > ## > ## Send a kill signal to unlabeled processes. > ## > Index: refpolicy-2.20170227/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20170227/policy/modules/system/systemd.if > @@ -7,7 +7,7 @@ > ## > ## > ## > -## Type to be used as a log parse environment type. > +## Type to be used as a log parse environment type. > ## > ## > # > @@ -25,7 +25,7 @@ interface(`systemd_log_parse_environment > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > @@ -45,7 +45,7 @@ interface(`systemd_read_logind_pids',` > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > @@ -65,7 +65,7 @@ interface(`systemd_manage_logind_pid_pip > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > @@ -79,12 +79,12 @@ interface(`systemd_use_logind_fds',` > > ###################################### > ## > -## Write inherited logind sessions pipes. > +## Write inherited logind sessions pipes. > ## > ## > -## > -## Domain allowed access. > -## > +## > +## Domain allowed access. > +## > ## > # > interface(`systemd_write_inherited_logind_sessions_pipes',` > @@ -104,7 +104,7 @@ interface(`systemd_write_inherited_login > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > @@ -124,7 +124,7 @@ interface(`systemd_dbus_chat_logind',` > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > ## > @@ -166,7 +166,7 @@ interface(`systemd_tmpfilesd_managed',` > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > ## > @@ -280,7 +280,7 @@ interface(`systemd_read_logind_state',` > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > @@ -299,7 +299,7 @@ interface(`systemd_status_logind',` > ## > ## > ## > -## Domain allowed access. > +## Domain allowed access. > ## > ## > # > Index: refpolicy-2.20170227/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170227/policy/modules/system/systemd.te > @@ -501,10 +501,96 @@ miscfiles_read_localization(systemd_noti > > ######################################## > # > -# Nspawn local policy > +# nspawn local policy > # > > init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) > +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; > +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; > +allow systemd_nspawn_t self:capability2 wake_alarm; > +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; > + > +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; > +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; > + > +allow systemd_nspawn_t systemd_machined_t:dbus send_msg; > +allow systemd_machined_t systemd_nspawn_t:dbus send_msg; > + > +# for /run/systemd/nspawn/incoming in chroot > +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; > + > +kernel_mount_proc(systemd_nspawn_t) > +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t) > +kernel_mounton_kmsg_file(systemd_nspawn_t) > +kernel_mounton_proc(systemd_nspawn_t) > +kernel_mounton_sysctl_dir(systemd_nspawn_t) > +kernel_read_kernel_sysctls(systemd_nspawn_t) > +kernel_read_system_state(systemd_nspawn_t) > +kernel_remount_proc(systemd_nspawn_t) > +kernel_unconfined(systemd_nspawn_t) > + > +corecmd_exec_shell(systemd_nspawn_t) > +corecmd_search_bin(systemd_nspawn_t) > +corenet_rw_tun_tap_dev(systemd_nspawn_t) > +dev_getattr_fs(systemd_nspawn_t) > +dev_manage_sysfs_dirs(systemd_nspawn_t) > +dev_mounton_sysfs_dirs(systemd_nspawn_t) > +dev_mount_sysfs(systemd_nspawn_t) > +dev_read_rand(systemd_nspawn_t) > +dev_read_urand(systemd_nspawn_t) > +files_manage_etc_files(systemd_nspawn_t) > +files_manage_mnt_dirs(systemd_nspawn_t) > +files_mounton_mnt(systemd_nspawn_t) > +files_mounton_tmp(systemd_nspawn_t) > +fs_getattr_tmpfs(systemd_nspawn_t) > +fs_manage_tmpfs_chr_files(systemd_nspawn_t) > +fs_mount_tmpfs(systemd_nspawn_t) > +fs_remount_tmpfs(systemd_nspawn_t) > +init_domtrans_script(systemd_nspawn_t) > +init_kill_initrc(systemd_nspawn_t) > +init_read_state(systemd_nspawn_t) > +init_search_run(systemd_nspawn_t) > +init_write_pid_socket(systemd_nspawn_t) > +# for writing inside chroot > +sysnet_manage_config(systemd_nspawn_t) > + > +term_getattr_generic_ptys(systemd_nspawn_t) > +term_getattr_pty_fs(systemd_nspawn_t) > +term_search_ptys(systemd_nspawn_t) > +term_setattr_generic_ptys(systemd_nspawn_t) > +term_use_ptmx(systemd_nspawn_t) > +userdom_manage_user_home_dirs(systemd_nspawn_t) Some empty lines needed above and in the tunable below. > +init_spec_domtrans_script(systemd_nspawn_t) > + > +tunable_policy(`systemd_nspawn_labeled_namespace',` > + corecmd_exec_shell(systemd_nspawn_t) > + dev_setattr_generic_dirs(systemd_nspawn_t) > + files_search_home(systemd_nspawn_t) > + fs_getattr_cgroup(systemd_nspawn_t) > + fs_manage_cgroup_dirs(systemd_nspawn_t) > + fs_manage_tmpfs_dirs(systemd_nspawn_t) > + fs_manage_tmpfs_files(systemd_nspawn_t) > + fs_manage_tmpfs_symlinks(systemd_nspawn_t) > + fs_mount_cgroup(systemd_nspawn_t) > + fs_mounton_cgroup(systemd_nspawn_t) > + fs_mounton_tmpfs(systemd_nspawn_t) > + fs_remount_cgroup(systemd_nspawn_t) > + fs_search_tmpfs(systemd_nspawn_t) > + fs_write_cgroup_files(systemd_nspawn_t) > + logging_search_logs(systemd_nspawn_t) > + selinux_getattr_fs(systemd_nspawn_t) > + selinux_search_fs(systemd_nspawn_t) > + seutil_search_default_contexts(systemd_nspawn_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(systemd_nspawn_t) > +') > + > +optional_policy(` > + virt_manage_virt_content(systemd_nspawn_t) > +') > > ####################################### > # > Index: refpolicy-2.20170227/policy/modules/system/logging.fc > =================================================================== > --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc > +++ refpolicy-2.20170227/policy/modules/system/logging.fc > @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` > /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) > /run/log -s gen_context(system_u:object_r:devlog_t,s0) > /run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) > -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_systemhigh) > /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) > /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) > /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -- Chris PeBenito