From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 10 Oct 2017 20:31:35 -0400
Subject: [refpolicy] [PATCH 1/1] policy for systemd-networkd
In-Reply-To: <CO1PR15MB1032CBEC0CAB28839C013C50B9740@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032CBEC0CAB28839C013C50B9740@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <7a92fa80-85a4-9e0e-80ea-8b5380cdbe47@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/09/2017 05:22 PM, David Sugar via refpolicy wrote:
> Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.
> 
> I hope I have ordering of interfaces correctly in systemd.if but please comment if something is off and I will correct them.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/init.te       |   1 +
>   policy/modules/system/sysnetwork.fc |   2 +
>   policy/modules/system/systemd.fc    |   3 +
>   policy/modules/system/systemd.if    | 116 ++++++++++++++++++++++++++++++++++++
>   policy/modules/system/systemd.te    |  70 ++++++++++++++++++++++
>   5 files changed, 192 insertions(+)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index df5e1611..2d2eb57e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -325,6 +325,7 @@ ifdef(`init_systemd',`
>   	systemd_manage_passwd_runtime_symlinks(init_t)
>   	systemd_use_passwd_agent(init_t)
>   	systemd_list_tmpfiles_conf(init_t)
> +	systemd_networkd_use_sock(init_t)
>   	systemd_relabelto_tmpfiles_conf_dirs(init_t)
>   	systemd_relabelto_tmpfiles_conf_files(init_t)
>   	systemd_relabelto_journal_dirs(init_t)
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index ae4fbea2..91fb5160 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -24,6 +24,8 @@ ifdef(`distro_debian',`
>   /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
>   /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
>   
> +/etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
> +
>   ifdef(`distro_redhat',`
>   /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
>   /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 57944e1d..56e9bc13 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -23,6 +23,7 @@
>   /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
>   /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
>   /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> +/usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
>   /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
>   /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
>   
> @@ -36,6 +37,7 @@
>   /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
>   /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
>   /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
> +/usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
>   
>   /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
>   /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> @@ -52,6 +54,7 @@
>   /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
>   /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
>   /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> +/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
>   
>   /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
>   /run/tmpfiles\.d/.*		<<none>>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 69669a1a..104eedc3 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -390,6 +390,122 @@ interface(`systemd_relabelto_journal_files',`
>   
>   ########################################
>   ## <summary>
> +##	Allow domain to read systemd_networkd_t files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	 </summary>
> +## </param>
> +#
> +interface(`systemd_read_networkd_files',`
> +	gen_require(`
> +		type systemd_networkd_t;
> +	')
> +
> +	init_search_units($1)
> +	list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +	read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow domain to create/manage systemd_networkd_t files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	 </summary>
> +## </param>
> +#
> +interface(`systemd_manage_networkd_files',`

This and the above interface should be like systemd_manage_networkd_units


> +	gen_require(`
> +		type systemd_networkd_unit_t;
> +	')
> +
> +	init_search_units($1)
> +	manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +	manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to start systemd-networkd units
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_startstop_networkd_units',`

systemd_startstop_networkd


> +	gen_require(`
> +		type systemd_networkd_unit_t;
> +		class service { start stop };
> +	')
> +
> +	allow $1 systemd_networkd_unit_t:service { start stop };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to start systemd-networkd units
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`systemd_status_networkd_units',`

systemd_status_networkd


> +	gen_require(`
> +		type systemd_networkd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 systemd_networkd_unit_t:service status;
> +')
> +
> +#######################################
> +## <summary>
> +## Relabel systemd_networkd tun socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_networkd_attach_tun_iface',`
> +	gen_require(`
> +		type systemd_networkd_t;
> +	')
> +
> +	allow $1 systemd_networkd_t:tun_socket relabelfrom;

Should be systemd_relabelfrom_networkd_tun_sockets, without the below rule.

> +	allow $1 self:tun_socket relabelto;
> +')
> +
> +#######################################
> +## <summary>
> +## Relabel systemd_networkd tun socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_networkd_use_sock',`
> +	gen_require(`
> +		type systemd_networkd_t;
> +	')
> +
> +	allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
> +')

systemd_rw_networkd_netlink_route_sockets

> +
> +
> +########################################
> +## <summary>
>   ##     Allow systemd_logind_t to read process state for cgroup file
>   ## </summary>
>   ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 166bd4dd..ffa62563 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
>   files_pid_file(systemd_machined_var_run_t)
>   init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
>   
> +type systemd_networkd_t;
> +type systemd_networkd_exec_t;
> +init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
> +
> +type systemd_networkd_unit_t;
> +init_unit_file(systemd_networkd_unit_t)
> +
> +type systemd_networkd_var_run_t;
> +files_pid_file(systemd_networkd_var_run_t)
> +
>   type systemd_notify_t;
>   type systemd_notify_exec_t;
>   init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
> @@ -516,6 +526,66 @@ optional_policy(`
>   
>   ########################################
>   #
> +# networkd local policy
> +#
> +
> +allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
> +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow systemd_networkd_t self:packet_socket create_socket_perms;
> +allow systemd_networkd_t self:process { getcap setcap setfscreate };
> +allow systemd_networkd_t self:rawip_socket create_socket_perms;
> +allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> +allow systemd_networkd_t self:udp_socket create_socket_perms;
> +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +
> +kernel_dgram_send(systemd_networkd_t)
> +kernel_read_system_state(systemd_networkd_t)
> +kernel_read_kernel_sysctls(systemd_networkd_t)
> +kernel_read_network_state(systemd_networkd_t)
> +kernel_request_load_module(systemd_networkd_t)
> +kernel_rw_net_sysctls(systemd_networkd_t)
> +
> +auth_use_nsswitch(systemd_networkd_t)

This should be between the files and init calls below


> +corecmd_bin_entry_type(systemd_networkd_t)
> +corecmd_exec_bin(systemd_networkd_t)
> +
> +corenet_rw_tun_tap_dev(systemd_networkd_t)
> +
> +dev_read_urand(systemd_networkd_t)
> +dev_read_sysfs(systemd_networkd_t)
> +dev_write_kmsg(systemd_networkd_t)
> +
> +files_read_etc_files(systemd_networkd_t)
> +
> +init_dgram_send(systemd_networkd_t)
> +init_read_state(systemd_networkd_t)
> +
> +logging_send_syslog_msg(systemd_networkd_t)
> +
> +miscfiles_read_localization(systemd_networkd_t)
> +
> +sysnet_read_config(systemd_networkd_t)
> +
> +systemd_log_parse_environment(systemd_networkd_t)
> +
> +optional_policy(`
> +	dbus_system_bus_client(systemd_networkd_t)
> +	dbus_connect_system_bus(systemd_networkd_t)
> +')
> +
> +optional_policy(`
> +	udev_read_db(systemd_networkd_t)
> +	udev_read_pid_files(systemd_networkd_t)
> +')
> +
> +########################################
> +#
>   # systemd_notify local policy
>   #
>   allow systemd_notify_t self:capability chown;
> 


-- 
Chris PeBenito