From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 6 Sep 2017 11:04:41 -0400
Subject: [refpolicy] [PATCH] systemd nspawn and backlight
In-Reply-To: <20170905053813.p5xf3aq2jpb6vvwu@athena.coker.com.au>
References: <20170905053813.p5xf3aq2jpb6vvwu@athena.coker.com.au>
Message-ID: <37d0bcf2-1b8e-9496-c4ff-ed30d739bbc6@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/05/2017 01:38 AM, Russell Coker via refpolicy wrote:
> The following patch allows systemd_nspawn_t to create directories under /tmp
> and use them as mountpoints.  Also allows systemd_nspawn_t to umount cgroup
> filesystems.
> 
> Allows systemd_backlight_t to search /var/lib.
> 
> Index: refpolicy-2.20170903/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170903.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170903/policy/modules/system/systemd.te
> @@ -116,6 +116,9 @@ init_system_domain(systemd_nspawn_t, sys
>   type systemd_nspawn_var_run_t;
>   files_pid_file(systemd_nspawn_var_run_t)
>   
> +type systemd_nspawn_tmp_t;
> +files_tmp_file(systemd_nspawn_tmp_t)
> +
>   type systemd_resolved_t;
>   type systemd_resolved_exec_t;
>   init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
> @@ -182,6 +185,8 @@ files_read_etc_files(systemd_backlight_t
>   # for /run/udev/data/+backlight*
>   udev_read_pid_files(systemd_backlight_t)
>   
> +files_search_var_lib(systemd_backlight_t)
> +
>   #######################################
>   #
>   # Binfmt local policy
> @@ -534,6 +539,10 @@ allow systemd_nspawn_t systemd_nspawn_va
>   allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
>   init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>   
> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
> +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
> +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
> +
>   # for /run/systemd/nspawn/incoming in chroot
>   allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
>   
> @@ -615,6 +624,7 @@ tunable_policy(`systemd_nspawn_labeled_n
>   	fs_mounton_tmpfs_files(systemd_nspawn_t)
>   	fs_remount_cgroup(systemd_nspawn_t)
>   	fs_search_tmpfs(systemd_nspawn_t)
> +	fs_unmount_cgroup(systemd_nspawn_t)
>   	fs_write_cgroup_files(systemd_nspawn_t)
>   
>   	selinux_getattr_fs(systemd_nspawn_t)

Merged.

-- 
Chris PeBenito