From: krzysztof.a.nowicki@gmail.com (Krzysztof Nowicki)
Date: Thu, 18 May 2017 21:31:10 +0200
Subject: [refpolicy] [PATCH 3/3] Add policy for systemd-networkd
In-Reply-To: <20170518193110.27516-1-krzysztof.a.nowicki@gmail.com>
References: <20170514152403.369-1-krzysztof.a.nowicki@gmail.com>
	<20170518193110.27516-1-krzysztof.a.nowicki@gmail.com>
Message-ID: <20170518193110.27516-4-krzysztof.a.nowicki@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Krzysztof Nowicki <krissn@op.pl>

This includes policy for socket-activation through the netlink route
socket.
---
 policy/modules/system/init.if    | 20 ++++++++++++++++++
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 45 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9428453..756c306 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -361,6 +361,26 @@ interface(`init_named_socket_activation',`
 	')
 ')
 
+#########################################
+## <summary>
+##	Netlink socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+#
+interface(`init_netlink_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:netlink_route_socket create_socket_perms;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Create a domain for short running processes
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 8bff2fa..dd57def 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
@@ -58,6 +59,7 @@
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
 
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4535182..8756ad2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,13 @@ type systemd_machined_var_run_t;
 files_pid_file(systemd_machined_var_run_t)
 init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
 
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
 type systemd_notify_t;
 type systemd_notify_exec_t;
 init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -509,6 +516,44 @@ optional_policy(`
 	dbus_system_bus_client(systemd_machined_t)
 ')
 
+#########################################
+#
+# Networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override net_admin net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_netlink_socket_activation(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+udev_read_db(systemd_networkd_t)
+
+optional_policy(`
+	dbus_connect_system_bus(systemd_networkd_t)
+	dbus_system_bus_client(systemd_networkd_t)
+')
+
 ########################################
 #
 # systemd_notify local policy
-- 
2.10.2