From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 15 May 2017 18:36:25 -0400 Subject: [refpolicy] [PATCH 3/4] Add policy for systemd-networkd In-Reply-To: <20170514152403.369-4-krzysztof.a.nowicki@gmail.com> References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com> <20170514152403.369-4-krzysztof.a.nowicki@gmail.com> Message-ID: <77cf8dd6-d971-6dfa-dbe0-685a595d43c1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/14/2017 11:24 AM, Krzysztof Nowicki via refpolicy wrote: > From: Krzysztof Nowicki > > This includes policy for socket-activation through the netlink route > socket, which lays some ground for generic API for systemd socket-activation > policies as suggested by Dominick Grift. > --- > policy/modules/system/init.if | 19 +++++++++++++++++ > policy/modules/system/init.te | 3 +++ > policy/modules/system/systemd.fc | 2 ++ > policy/modules/system/systemd.te | 46 ++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 70 insertions(+) > > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 9428453..af95897 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -2940,6 +2940,25 @@ interface(`init_reload_all_units',` > > ######################################## > ## > +## Allow subject domain to be socket-activated by systemd > +## through a netlink route socket > +## > +## > +## > +## Subject domain > +## > +## > +# > +interface(`init_netlink_route_socket_activated_subj_type',` > + gen_require(` > + attribute systemd_netlink_route_socket_activated_subj_type; > + ') > + > + typeattribute $1 systemd_netlink_route_socket_activated_subj_type; > +') This should look like the init_named_socket_activation() interface and be named init_netlink_socket_activation(). > +######################################## > +## > ## Allow unconfined access to send instructions to init > ## > ## > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 9a64783..061bb29 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -28,6 +28,7 @@ attribute init_script_file_type; > attribute init_run_all_scripts_domain; > attribute systemdunit; > attribute initrc_transition_domain; > +attribute systemd_netlink_route_socket_activated_subj_type; > > # Mark process types as daemons > attribute daemon; > @@ -246,6 +247,8 @@ ifdef(`init_systemd',` > allow systemprocess init_t:unix_dgram_socket sendto; > allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; > > + allow init_t systemd_netlink_route_socket_activated_subj_type:netlink_route_socket create_socket_perms; > + > allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; > manage_files_pattern(init_t, init_var_run_t, init_var_run_t) > manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) > diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc > index 82307e3..d7fd19b 100644 > --- a/policy/modules/system/systemd.fc > +++ b/policy/modules/system/systemd.fc > @@ -22,6 +22,7 @@ > /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) > /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) > /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) > +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) > > # Systemd generators > /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0) > @@ -56,6 +57,7 @@ > /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) > /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) > /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) > +/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) > > /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0) > /run/tmpfiles\.d/.* <> > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index 2cbdba2..540cd4b 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -127,6 +127,13 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) > type systemd_resolved_var_run_t; > files_pid_file(systemd_resolved_var_run_t) > > +type systemd_networkd_t; > +type systemd_networkd_exec_t; > +init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) > + > +type systemd_networkd_var_run_t; > +files_pid_file(systemd_networkd_var_run_t) > + > type systemd_run_t; > type systemd_run_exec_t; > init_daemon_domain(systemd_run_t, systemd_run_exec_t) > @@ -752,6 +759,45 @@ optional_policy(` > > ######################################### > # > +# Networkd local policy > +# > + > +allow systemd_networkd_t self:process { getcap setcap }; > +allow systemd_networkd_t self:capability { net_admin dac_override setgid setuid chown setpcap net_raw }; > + > +allow systemd_networkd_t self:netlink_kobject_uevent_socket { create_socket_perms }; > +allow systemd_networkd_t self:netlink_route_socket { rw_netlink_socket_perms }; > +allow systemd_networkd_t self:unix_dgram_socket { create_socket_perms }; > +allow systemd_networkd_t self:udp_socket { create_socket_perms }; > +allow systemd_networkd_t self:packet_socket { create_socket_perms }; > +allow systemd_networkd_t self:rawip_socket { create_socket_perms }; The permission sets don't need the curly braces. > +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) > +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) > + > +files_read_etc_files(systemd_networkd_t) > +kernel_read_system_state(systemd_networkd_t) > +kernel_read_kernel_sysctls(systemd_networkd_t) > +kernel_rw_net_sysctls(systemd_networkd_t) > + > +init_dgram_send(systemd_networkd_t) > +init_netlink_route_socket_activated_subj_type(systemd_networkd_t) > + > +dev_read_sysfs(systemd_networkd_t) Please reorder the above calls for style. > +systemd_log_parse_environment(systemd_networkd_t) > + > +#udev_search_pids(systemd_networkd_t) > +#udev_read_pid_files(systemd_networkd_t) Please remove these. > +udev_read_db(systemd_networkd_t) > + > +optional_policy(` > + dbus_system_bus_client(systemd_networkd_t) > + dbus_connect_system_bus(systemd_networkd_t) > +') > + > +######################################### > +# > # Sessions local policy > # > > -- Chris PeBenito