From: russell@coker.com.au (Russell Coker) Date: Tue, 5 Sep 2017 15:38:13 +1000 Subject: [refpolicy] [PATCH] systemd nspawn and backlight Message-ID: <20170905053813.p5xf3aq2jpb6vvwu@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch allows systemd_nspawn_t to create directories under /tmp and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup filesystems. Allows systemd_backlight_t to search /var/lib. Index: refpolicy-2.20170903/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170903.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170903/policy/modules/system/systemd.te @@ -116,6 +116,9 @@ init_system_domain(systemd_nspawn_t, sys type systemd_nspawn_var_run_t; files_pid_file(systemd_nspawn_var_run_t) +type systemd_nspawn_tmp_t; +files_tmp_file(systemd_nspawn_tmp_t) + type systemd_resolved_t; type systemd_resolved_exec_t; init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) @@ -182,6 +185,8 @@ files_read_etc_files(systemd_backlight_t # for /run/udev/data/+backlight* udev_read_pid_files(systemd_backlight_t) +files_search_var_lib(systemd_backlight_t) + ####################################### # # Binfmt local policy @@ -534,6 +539,10 @@ allow systemd_nspawn_t systemd_nspawn_va allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir }) +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; + # for /run/systemd/nspawn/incoming in chroot allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; @@ -615,6 +624,7 @@ tunable_policy(`systemd_nspawn_labeled_n fs_mounton_tmpfs_files(systemd_nspawn_t) fs_remount_cgroup(systemd_nspawn_t) fs_search_tmpfs(systemd_nspawn_t) + fs_unmount_cgroup(systemd_nspawn_t) fs_write_cgroup_files(systemd_nspawn_t) selinux_getattr_fs(systemd_nspawn_t)