From: dsugar@tresys.com (David Sugar)
Date: Thu, 12 Oct 2017 17:51:21 +0000
Subject: [refpolicy] [PATCH 1/1-v2] policy for systemd-networkd
In-Reply-To: <cc2e54f2-762c-c335-b5db-ecd848691385@ieee.org>
References: <CO1PR15MB1032D9A7B2E0027DC12F28FAB94A0@CO1PR15MB1032.namprd15.prod.outlook.com>
	<cc2e54f2-762c-c335-b5db-ecd848691385@ieee.org>
Message-ID: <CO1PR15MB1032399687645970B10018D6B94B0@CO1PR15MB1032.namprd15.prod.outlook.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Wednesday, October 11, 2017 6:34 PM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1-v2] policy for systemd-networkd
> 
> On 10/11/2017 10:59 AM, David Sugar via refpolicy wrote:
> > Policy needed for systemd-networkd to function.  This is based on a
> patch from krzysztof.a.nowicki at gmail.com that was submitted back in
> May (I talked to him via email a while ago about me picking up the
> patch).  He was too busy to update and I needed to get it working.
> >
> > I am pretty sure I updated everything mentioned in previous feedback,
> please comment if something is still off and I will revise.
> >
> > Signed-off-by: Dave Sugar <dsugar@tresys.com>
> > ---
> >   policy/modules/system/init.te       |   1 +
> >   policy/modules/system/sysnetwork.fc |   2 +
> >   policy/modules/system/systemd.fc    |   3 +
> >   policy/modules/system/systemd.if    | 115
> ++++++++++++++++++++++++++++++++++++
> >   policy/modules/system/systemd.te    |  70 ++++++++++++++++++++++
> >   5 files changed, 191 insertions(+)
> >
> > diff --git a/policy/modules/system/init.te
> > b/policy/modules/system/init.te index dbc31d1d..aa875cee 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -329,6 +329,7 @@ ifdef(`init_systemd',`
> >   	systemd_relabelto_tmpfiles_conf_files(init_t)
> >   	systemd_relabelto_journal_dirs(init_t)
> >   	systemd_relabelto_journal_files(init_t)
> > +	systemd_rw_networkd_netlink_route_sockets(init_t)
> >
> >   	term_create_devpts_dirs(init_t)
> >
> > diff --git a/policy/modules/system/sysnetwork.fc
> > b/policy/modules/system/sysnetwork.fc
> > index ae4fbea2..91fb5160 100644
> > --- a/policy/modules/system/sysnetwork.fc
> > +++ b/policy/modules/system/sysnetwork.fc
> > @@ -24,6 +24,8 @@ ifdef(`distro_debian',`
> >   /etc/dhcp3(/.*)?
> 	gen_context(system_u:object_r:dhcp_etc_t,s0)
> >   /etc/dhcp3?/dhclient.*
> 	gen_context(system_u:object_r:dhcp_etc_t,s0)
> >
> > +/etc/systemd/network(/.*)?
> 	gen_context(system_u:object_r:net_conf_t,s0)
> > +
> >   ifdef(`distro_redhat',`
> >   /etc/sysconfig/network-scripts/.*resolv\.conf --
> gen_context(system_u:object_r:net_conf_t,s0)
> >   /etc/sysconfig/networking(/.*)?
> > gen_context(system_u:object_r:net_conf_t,s0)
> > diff --git a/policy/modules/system/systemd.fc
> > b/policy/modules/system/systemd.fc
> > index 57944e1d..56e9bc13 100644
> > --- a/policy/modules/system/systemd.fc
> > +++ b/policy/modules/system/systemd.fc
> > @@ -23,6 +23,7 @@
> >   /usr/lib/systemd/systemd-localed	--
> 	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
> >   /usr/lib/systemd/systemd-logind		--
> 	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> >   /usr/lib/systemd/systemd-machined	--
> 	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> > +/usr/lib/systemd/systemd-networkd	--
> 	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
> >   /usr/lib/systemd/systemd-resolved	--
> 	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> >   /usr/lib/systemd/systemd-user-sessions	--
> 	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
> >
> > @@ -36,6 +37,7 @@
> >   /usr/lib/systemd/system/[^/]*suspend.*	--
> 	gen_context(system_u:object_r:power_unit_t,s0)
> >   /usr/lib/systemd/system/systemd-backlight.*	--
> 	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> >   /usr/lib/systemd/system/systemd-binfmt.*	--
> 	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
> > +/usr/lib/systemd/system/systemd-networkd.*
> 	gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
> >
> >   /var/lib/systemd/backlight(/.*)?
> 	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> >   /var/lib/systemd/coredump(/.*)?
> 	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> > @@ -52,6 +54,7 @@
> >   /run/systemd/inhibit(/.*)?
> 	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> >   /run/systemd/nspawn(/.*)?
> 	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> >   /run/systemd/machines(/.*)?
> 	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> > +/run/systemd/netif(/.*)?
> 	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
> >
> >   /run/tmpfiles\.d	-d
> 	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> >   /run/tmpfiles\.d/.*		<<none>>
> > diff --git a/policy/modules/system/systemd.if
> > b/policy/modules/system/systemd.if
> > index 69669a1a..8f914837 100644
> > --- a/policy/modules/system/systemd.if
> > +++ b/policy/modules/system/systemd.if
> > @@ -390,6 +390,121 @@ interface(`systemd_relabelto_journal_files',`
> >
> >   ########################################
> >   ## <summary>
> > +##	Allow domain to read systemd_networkd_t unit files
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	 </summary>
> > +## </param>
> > +#
> > +interface(`systemd_read_networkd_units',`
> > +	gen_require(`
> > +		type systemd_networkd_t;
> > +	')
> > +
> > +	init_search_units($1)
> > +	list_dirs_pattern($1, systemd_networkd_unit_t,
> > +systemd_networkd_unit_t)
> 
> I missed this the first time, but there are no systemd_networkd_unit_t
> dirs (nor should there be) so the list_dirs_pattern here, and the
> manage_dirs_pattern in the below interface are excessive.
> 

The interface is to deal with drop-in files.  Systemd allows for what it calls 'drop-in' [1] files to be used to slightly alter the operation of a service.  This will allow for the directory /usr/lib/systemd/systemd/systemd-networkd.service.d/ to be read with drop-in files that slightly modify the service operation.  I use this to configure eth0 as networking is starting up in a way that default systemd-networkd does not take into account.  

The systemd_manage_networkd_units is to allow a process to manage these drop-in files.

> 
> > +	read_files_pattern($1, systemd_networkd_unit_t,
> > +systemd_networkd_unit_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Allow domain to create/manage systemd_networkd_t unit files
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	 </summary>
> > +## </param>
> > +#
> > +interface(`systemd_manage_networkd_units',`
> > +	gen_require(`
> > +		type systemd_networkd_unit_t;
> > +	')
> > +
> > +	init_search_units($1)
> > +	manage_dirs_pattern($1, systemd_networkd_unit_t,
> systemd_networkd_unit_t)
> > +	manage_files_pattern($1, systemd_networkd_unit_t,
> > +systemd_networkd_unit_t)
> > +')
> 
> 
> --
> Chris PeBenito

[1] https://www.freedesktop.org/software/systemd/man/systemd.unit.html