From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 1 Apr 2017 12:10:33 -0400 Subject: [refpolicy] [PATCH] systemd-nspawn again In-Reply-To: <20170329125631.gv6qlfs3xtwtcqbe@athena.coker.com.au> References: <20170329125631.gv6qlfs3xtwtcqbe@athena.coker.com.au> Message-ID: <209b5d22-b73b-2145-1a63-bfa896ba9142@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/29/2017 08:56 AM, Russell Coker via refpolicy wrote: > This patch doesn't do everything that is needed to have systemd-nspawn work. > But it does everything that is needed and which I have written in a clear and > uncontroversial way. I think it's best to get this upstream now and then > either have a separate discussion about the more difficult issues, or wait > until I devise a way of solving those problems that's not too hacky. > > Who knows, maybe someone else will devise a brilliant solution to the remaining > issues after this is accepted upstream. ;) > > Also there's a tiny patch for systemd_machined_t that is required by > systemd_nspawn_t. > > Description: systemd-nspawn > Author: Russell Coker > Last-Update: 2017-03-29 I moved some lines and renamed some interfaces. All the rules should be there, except for one. I removed the kernel_unconfined(). > Index: refpolicy-2.20170326/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/init.if > +++ refpolicy-2.20170326/policy/modules/system/init.if > @@ -2,6 +2,24 @@ > > ######################################## > ## > +## kill a initrc_t process > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_kill_initrc',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process sigkill; > +') > + > +######################################## > +## > ## Create a file type used for init scripts. > ## > ## > @@ -828,6 +846,7 @@ interface(`init_dgram_send',` > > dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) > files_search_pids($1) > + allow $1 init_t:unix_stream_socket getattr; > ') > > ######################################## > @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',` > ## Domain allowed access. > ## > ## > -## > -## > -## The type of the object to be created > -## > -## > -## > -## > -## The object class. > -## > -## > -## > -## > -## The name of the object being created. > -## > -## > # > interface(`init_manage_var_lib_files',` > gen_require(` > @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',` > # > interface(`init_run_daemon',` > gen_require(` > - attribute init_script_file_type; > + attribute init_script_file_type; > role system_r; > ') > > allow $2 system_r; > > - init_all_labeled_script_domtrans($1) > - role_transition $2 init_script_file_type system_r; > + init_all_labeled_script_domtrans($1) > + role_transition $2 init_script_file_type system_r; > ') > > ######################################## > @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',` > ## > # > interface(`init_write_pid_socket',` > - gen_require(` > - type init_var_run_t; > - ') > + gen_require(` > + type init_var_run_t; > + ') > > - allow $1 init_var_run_t:sock_file write; > + allow $1 init_var_run_t:sock_file write; > ') > > ######################################## > Index: refpolicy-2.20170326/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20170326/policy/modules/kernel/devices.if > @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',` > > ######################################## > ## > +## mounton sysfs directories. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mounton_sysfs_dirs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:dir mounton; > +') > + > +######################################## > +## > ## Get the attributes of sysfs filesystem > ## > ## > @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',` > ') > > ######################################## > +## > +## mount a sysfs filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_mount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem mount; > +') > + > +######################################## > ## > ## Do not audit getting the attributes of sysfs filesystem > ## > Index: refpolicy-2.20170326/policy/modules/kernel/kernel.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/kernel.if > +++ refpolicy-2.20170326/policy/modules/kernel/kernel.if > @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',` > > ######################################## > ## > +## mount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_mount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem mount; > +') > + > +######################################## > +## > +## remount the proc filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`kernel_remount_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:filesystem remount; > +') > + > +######################################## > +## > ## Get the attributes of the proc filesystem. > ## > ## > @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',` > > ######################################## > ## > +## mounton sysctl_kernel_t and sysctl_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_kernel_sysctl_file',` > + gen_require(` > + type proc_t, sysctl_t, sysctl_kernel_t; > + ') > + > + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; > + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton }; > +') > + > +######################################## > +## > +## mounton proc_kmsg_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_kmsg_file',` > + gen_require(` > + type proc_t, proc_kmsg_t; > + ') > + > + allow $1 proc_t:dir list_dir_perms; > + allow $1 proc_kmsg_t:file { getattr mounton }; > +') > + > +######################################## > +## > +## mounton sysctl_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_sysctl_dir',` > + gen_require(` > + type proc_t, sysctl_t; > + ') > + > + allow $1 proc_t:dir list_dir_perms; > + allow $1 sysctl_t:dir { getattr mounton }; > +') > + > +######################################## > +## > ## Read filesystem sysctls. > ## > ## > @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',` > ') > > ######################################## > +## > +## mounton proc_t dirs > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`kernel_mounton_proc',` > + gen_require(` > + type proc_t; > + ') > + > + allow $1 proc_t:dir mounton; > +') > + > +######################################## > ## > ## Send a kill signal to unlabeled processes. > ## > Index: refpolicy-2.20170326/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170326/policy/modules/system/systemd.te > @@ -455,6 +459,8 @@ allow systemd_machined_t self:unix_dgram > manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) > allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms; > > +allow systemd_machined_t systemd_unit_t:service { start status stop }; > + > kernel_read_kernel_sysctls(systemd_machined_t) > kernel_read_system_state(systemd_machined_t) > > @@ -510,10 +516,108 @@ miscfiles_read_localization(systemd_noti > > ######################################## > # > -# Nspawn local policy > +# nspawn local policy > # > > init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) > +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill }; > +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; > +allow systemd_nspawn_t self:capability2 wake_alarm; > +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; > + > +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; > +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; > + > +allow systemd_nspawn_t systemd_journal_t:dir search; > + > +allow systemd_nspawn_t systemd_machined_t:dbus send_msg; > +allow systemd_machined_t systemd_nspawn_t:dbus send_msg; > + > +# for /run/systemd/nspawn/incoming in chroot > +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; > + > +kernel_mount_proc(systemd_nspawn_t) > +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t) > +kernel_mounton_kmsg_file(systemd_nspawn_t) > +kernel_mounton_proc(systemd_nspawn_t) > +kernel_mounton_sysctl_dir(systemd_nspawn_t) > +kernel_read_kernel_sysctls(systemd_nspawn_t) > +kernel_read_system_state(systemd_nspawn_t) > +kernel_remount_proc(systemd_nspawn_t) > +kernel_unconfined(systemd_nspawn_t) > + > +corecmd_exec_shell(systemd_nspawn_t) > +corecmd_search_bin(systemd_nspawn_t) > +corenet_rw_tun_tap_dev(systemd_nspawn_t) > +dev_getattr_fs(systemd_nspawn_t) > +dev_manage_sysfs_dirs(systemd_nspawn_t) > +dev_mounton_sysfs_dirs(systemd_nspawn_t) > +dev_mount_sysfs(systemd_nspawn_t) > +dev_read_rand(systemd_nspawn_t) > +dev_read_urand(systemd_nspawn_t) > +files_getattr_tmp_dirs(systemd_nspawn_t) > +files_manage_etc_files(systemd_nspawn_t) > +files_manage_mnt_dirs(systemd_nspawn_t) > +files_mounton_mnt(systemd_nspawn_t) > +files_mounton_root(systemd_nspawn_t) > +files_mounton_tmp(systemd_nspawn_t) > +files_setattr_pid_dirs(systemd_nspawn_t) > +fs_getattr_tmpfs(systemd_nspawn_t) > +fs_manage_tmpfs_chr_files(systemd_nspawn_t) > +fs_mount_tmpfs(systemd_nspawn_t) > +fs_remount_tmpfs(systemd_nspawn_t) > +fs_search_cgroup_dirs(systemd_nspawn_t) > +init_domtrans_script(systemd_nspawn_t) > +init_kill_initrc(systemd_nspawn_t) > +init_read_state(systemd_nspawn_t) > +init_search_run(systemd_nspawn_t) > +init_write_pid_socket(systemd_nspawn_t) > +miscfiles_manage_localization(systemd_nspawn_t) > +# for writing inside chroot > +sysnet_manage_config(systemd_nspawn_t) > + > +term_getattr_generic_ptys(systemd_nspawn_t) > +term_getattr_pty_fs(systemd_nspawn_t) > +term_mount_ptyfs(systemd_nspawn_t) > +term_search_ptys(systemd_nspawn_t) > +term_setattr_generic_ptys(systemd_nspawn_t) > +term_use_ptmx(systemd_nspawn_t) > +userdom_manage_user_home_dirs(systemd_nspawn_t) > + > +init_spec_domtrans_script(systemd_nspawn_t) > + > +tunable_policy(`systemd_nspawn_labeled_namespace',` > + corecmd_exec_shell(systemd_nspawn_t) > + dev_mounton(systemd_nspawn_t) > + dev_setattr_generic_dirs(systemd_nspawn_t) > + files_search_home(systemd_nspawn_t) > + files_mounton_pid_dirs(systemd_nspawn_t) > + fs_getattr_cgroup(systemd_nspawn_t) > + fs_manage_cgroup_dirs(systemd_nspawn_t) > + fs_manage_tmpfs_dirs(systemd_nspawn_t) > + fs_manage_tmpfs_files(systemd_nspawn_t) > + fs_manage_tmpfs_symlinks(systemd_nspawn_t) > + fs_mount_cgroup(systemd_nspawn_t) > + fs_mounton_cgroup(systemd_nspawn_t) > + fs_mounton_tmpfs(systemd_nspawn_t) > + fs_mounton_tmpfs_files(systemd_nspawn_t) > + fs_remount_cgroup(systemd_nspawn_t) > + fs_search_tmpfs(systemd_nspawn_t) > + fs_write_cgroup_files(systemd_nspawn_t) > + init_domtrans(systemd_nspawn_t) > + logging_search_logs(systemd_nspawn_t) > + selinux_getattr_fs(systemd_nspawn_t) > + selinux_search_fs(systemd_nspawn_t) > + seutil_search_default_contexts(systemd_nspawn_t) > +') > + > +optional_policy(` > + dbus_system_bus_client(systemd_nspawn_t) > +') > + > +optional_policy(` > + virt_manage_virt_content(systemd_nspawn_t) > +') > > ####################################### > # > Index: refpolicy-2.20170326/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20170326/policy/modules/kernel/files.if > @@ -6306,6 +6306,24 @@ interface(`files_dontaudit_getattr_pid_d > > ######################################## > ## > +## mounton a /var/run directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_mounton_pid_dirs',` > + gen_require(` > + type var_run_t; > + ') > + > + allow $1 var_run_t:dir mounton; > +') > + > +######################################## > +## > ## Set the attributes of the /var/run directory. > ## > ## > Index: refpolicy-2.20170326/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20170326/policy/modules/kernel/filesystem.if > @@ -4142,6 +4142,24 @@ interface(`fs_mounton_tmpfs',` > > ######################################## > ## > +## Mount on tmpfs files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_mounton_tmpfs_files',` > + gen_require(` > + type tmpfs_t; > + ') > + > + allow $1 tmpfs_t:file mounton; > +') > + > +######################################## > +## > ## Set the attributes of tmpfs directories. > ## > ## > Index: refpolicy-2.20170326/policy/modules/kernel/terminal.if > =================================================================== > --- refpolicy-2.20170326.orig/policy/modules/kernel/terminal.if > +++ refpolicy-2.20170326/policy/modules/kernel/terminal.if > @@ -133,6 +133,24 @@ interface(`term_user_tty',` > > ######################################## > ## > +## mount a devpts_t filesystem > +## > +## > +## > +## The type of the process to mount it > +## > +## > +# > +interface(`term_mount_ptyfs',` > + gen_require(` > + type devpts_t; > + ') > + > + allow $1 devpts_t:filesystem mount; > +') > + > +######################################## > +## > ## Create a pty in the /dev/pts directory. > ## > ## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito