From: russell@coker.com.au (Russell Coker) Date: Wed, 29 Mar 2017 23:56:31 +1100 Subject: [refpolicy] [PATCH] systemd-nspawn again Message-ID: <20170329125631.gv6qlfs3xtwtcqbe@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch doesn't do everything that is needed to have systemd-nspawn work. But it does everything that is needed and which I have written in a clear and uncontroversial way. I think it's best to get this upstream now and then either have a separate discussion about the more difficult issues, or wait until I devise a way of solving those problems that's not too hacky. Who knows, maybe someone else will devise a brilliant solution to the remaining issues after this is accepted upstream. ;) Also there's a tiny patch for systemd_machined_t that is required by systemd_nspawn_t. Description: systemd-nspawn Author: Russell Coker Last-Update: 2017-03-29 Index: refpolicy-2.20170326/policy/modules/system/init.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/system/init.if +++ refpolicy-2.20170326/policy/modules/system/init.if @@ -2,6 +2,24 @@ ######################################## ## +## kill a initrc_t process +## +## +## +## Domain allowed access. +## +## +# +interface(`init_kill_initrc',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process sigkill; +') + +######################################## +## ## Create a file type used for init scripts. ## ## @@ -828,6 +846,7 @@ interface(`init_dgram_send',` dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) files_search_pids($1) + allow $1 init_t:unix_stream_socket getattr; ') ######################################## @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',` ## Domain allowed access. ## ## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## # interface(`init_manage_var_lib_files',` gen_require(` @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',` # interface(`init_run_daemon',` gen_require(` - attribute init_script_file_type; + attribute init_script_file_type; role system_r; ') allow $2 system_r; - init_all_labeled_script_domtrans($1) - role_transition $2 init_script_file_type system_r; + init_all_labeled_script_domtrans($1) + role_transition $2 init_script_file_type system_r; ') ######################################## @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',` ## # interface(`init_write_pid_socket',` - gen_require(` - type init_var_run_t; - ') + gen_require(` + type init_var_run_t; + ') - allow $1 init_var_run_t:sock_file write; + allow $1 init_var_run_t:sock_file write; ') ######################################## Index: refpolicy-2.20170326/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20170326/policy/modules/kernel/devices.if @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +## mounton sysfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mounton_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir mounton; +') + +######################################## +## ## Get the attributes of sysfs filesystem ## ## @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',` ') ######################################## +## +## mount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + +######################################## ## ## Do not audit getting the attributes of sysfs filesystem ## Index: refpolicy-2.20170326/policy/modules/kernel/kernel.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/kernel/kernel.if +++ refpolicy-2.20170326/policy/modules/kernel/kernel.if @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',` ######################################## ## +## mount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_mount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem mount; +') + +######################################## +## +## remount the proc filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_remount_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:filesystem remount; +') + +######################################## +## ## Get the attributes of the proc filesystem. ## ## @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',` ######################################## ## +## mounton sysctl_kernel_t and sysctl_t files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_kernel_sysctl_file',` + gen_require(` + type proc_t, sysctl_t, sysctl_kernel_t; + ') + + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton }; +') + +######################################## +## +## mounton proc_kmsg_t files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_kmsg_file',` + gen_require(` + type proc_t, proc_kmsg_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 proc_kmsg_t:file { getattr mounton }; +') + +######################################## +## +## mounton sysctl_t dirs +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_sysctl_dir',` + gen_require(` + type proc_t, sysctl_t; + ') + + allow $1 proc_t:dir list_dir_perms; + allow $1 sysctl_t:dir { getattr mounton }; +') + +######################################## +## ## Read filesystem sysctls. ## ## @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',` ') ######################################## +## +## mounton proc_t dirs +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_mounton_proc',` + gen_require(` + type proc_t; + ') + + allow $1 proc_t:dir mounton; +') + +######################################## ## ## Send a kill signal to unlabeled processes. ## Index: refpolicy-2.20170326/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170326.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170326/policy/modules/system/systemd.te @@ -455,6 +459,8 @@ allow systemd_machined_t self:unix_dgram manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms; +allow systemd_machined_t systemd_unit_t:service { start status stop }; + kernel_read_kernel_sysctls(systemd_machined_t) kernel_read_system_state(systemd_machined_t) @@ -510,10 +516,108 @@ miscfiles_read_localization(systemd_noti ######################################## # -# Nspawn local policy +# nspawn local policy # init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow systemd_nspawn_t self:capability2 wake_alarm; +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; + +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; + +allow systemd_nspawn_t systemd_journal_t:dir search; + +allow systemd_nspawn_t systemd_machined_t:dbus send_msg; +allow systemd_machined_t systemd_nspawn_t:dbus send_msg; + +# for /run/systemd/nspawn/incoming in chroot +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; + +kernel_mount_proc(systemd_nspawn_t) +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t) +kernel_mounton_kmsg_file(systemd_nspawn_t) +kernel_mounton_proc(systemd_nspawn_t) +kernel_mounton_sysctl_dir(systemd_nspawn_t) +kernel_read_kernel_sysctls(systemd_nspawn_t) +kernel_read_system_state(systemd_nspawn_t) +kernel_remount_proc(systemd_nspawn_t) +kernel_unconfined(systemd_nspawn_t) + +corecmd_exec_shell(systemd_nspawn_t) +corecmd_search_bin(systemd_nspawn_t) +corenet_rw_tun_tap_dev(systemd_nspawn_t) +dev_getattr_fs(systemd_nspawn_t) +dev_manage_sysfs_dirs(systemd_nspawn_t) +dev_mounton_sysfs_dirs(systemd_nspawn_t) +dev_mount_sysfs(systemd_nspawn_t) +dev_read_rand(systemd_nspawn_t) +dev_read_urand(systemd_nspawn_t) +files_getattr_tmp_dirs(systemd_nspawn_t) +files_manage_etc_files(systemd_nspawn_t) +files_manage_mnt_dirs(systemd_nspawn_t) +files_mounton_mnt(systemd_nspawn_t) +files_mounton_root(systemd_nspawn_t) +files_mounton_tmp(systemd_nspawn_t) +files_setattr_pid_dirs(systemd_nspawn_t) +fs_getattr_tmpfs(systemd_nspawn_t) +fs_manage_tmpfs_chr_files(systemd_nspawn_t) +fs_mount_tmpfs(systemd_nspawn_t) +fs_remount_tmpfs(systemd_nspawn_t) +fs_search_cgroup_dirs(systemd_nspawn_t) +init_domtrans_script(systemd_nspawn_t) +init_kill_initrc(systemd_nspawn_t) +init_read_state(systemd_nspawn_t) +init_search_run(systemd_nspawn_t) +init_write_pid_socket(systemd_nspawn_t) +miscfiles_manage_localization(systemd_nspawn_t) +# for writing inside chroot +sysnet_manage_config(systemd_nspawn_t) + +term_getattr_generic_ptys(systemd_nspawn_t) +term_getattr_pty_fs(systemd_nspawn_t) +term_mount_ptyfs(systemd_nspawn_t) +term_search_ptys(systemd_nspawn_t) +term_setattr_generic_ptys(systemd_nspawn_t) +term_use_ptmx(systemd_nspawn_t) +userdom_manage_user_home_dirs(systemd_nspawn_t) + +init_spec_domtrans_script(systemd_nspawn_t) + +tunable_policy(`systemd_nspawn_labeled_namespace',` + corecmd_exec_shell(systemd_nspawn_t) + dev_mounton(systemd_nspawn_t) + dev_setattr_generic_dirs(systemd_nspawn_t) + files_search_home(systemd_nspawn_t) + files_mounton_pid_dirs(systemd_nspawn_t) + fs_getattr_cgroup(systemd_nspawn_t) + fs_manage_cgroup_dirs(systemd_nspawn_t) + fs_manage_tmpfs_dirs(systemd_nspawn_t) + fs_manage_tmpfs_files(systemd_nspawn_t) + fs_manage_tmpfs_symlinks(systemd_nspawn_t) + fs_mount_cgroup(systemd_nspawn_t) + fs_mounton_cgroup(systemd_nspawn_t) + fs_mounton_tmpfs(systemd_nspawn_t) + fs_mounton_tmpfs_files(systemd_nspawn_t) + fs_remount_cgroup(systemd_nspawn_t) + fs_search_tmpfs(systemd_nspawn_t) + fs_write_cgroup_files(systemd_nspawn_t) + init_domtrans(systemd_nspawn_t) + logging_search_logs(systemd_nspawn_t) + selinux_getattr_fs(systemd_nspawn_t) + selinux_search_fs(systemd_nspawn_t) + seutil_search_default_contexts(systemd_nspawn_t) +') + +optional_policy(` + dbus_system_bus_client(systemd_nspawn_t) +') + +optional_policy(` + virt_manage_virt_content(systemd_nspawn_t) +') ####################################### # Index: refpolicy-2.20170326/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/kernel/files.if +++ refpolicy-2.20170326/policy/modules/kernel/files.if @@ -6306,6 +6306,24 @@ interface(`files_dontaudit_getattr_pid_d ######################################## ## +## mounton a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir mounton; +') + +######################################## +## ## Set the attributes of the /var/run directory. ## ## Index: refpolicy-2.20170326/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20170326/policy/modules/kernel/filesystem.if @@ -4142,6 +4142,24 @@ interface(`fs_mounton_tmpfs',` ######################################## ## +## Mount on tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file mounton; +') + +######################################## +## ## Set the attributes of tmpfs directories. ## ## Index: refpolicy-2.20170326/policy/modules/kernel/terminal.if =================================================================== --- refpolicy-2.20170326.orig/policy/modules/kernel/terminal.if +++ refpolicy-2.20170326/policy/modules/kernel/terminal.if @@ -133,6 +133,24 @@ interface(`term_user_tty',` ######################################## ## +## mount a devpts_t filesystem +## +## +## +## The type of the process to mount it +## +## +# +interface(`term_mount_ptyfs',` + gen_require(` + type devpts_t; + ') + + allow $1 devpts_t:filesystem mount; +') + +######################################## +## ## Create a pty in the /dev/pts directory. ## ##