This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream. ;)
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <[email protected]>
Last-Update: 2017-03-29
Index: refpolicy-2.20170326/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/system/init.if
+++ refpolicy-2.20170326/policy/modules/system/init.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## kill a initrc_t process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_kill_initrc',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigkill;
+')
+
+########################################
+## <summary>
## Create a file type used for init scripts.
## </summary>
## <desc>
@@ -828,6 +846,7 @@ interface(`init_dgram_send',`
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')
########################################
@@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
@@ -1657,14 +1661,14 @@ interface(`init_startstop_service',`
#
interface(`init_run_daemon',`
gen_require(`
- attribute init_script_file_type;
+ attribute init_script_file_type;
role system_r;
')
allow $2 system_r;
- init_all_labeled_script_domtrans($1)
- role_transition $2 init_script_file_type system_r;
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
')
########################################
@@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',`
## </param>
#
interface(`init_write_pid_socket',`
- gen_require(`
- type init_var_run_t;
- ')
+ gen_require(`
+ type init_var_run_t;
+ ')
- allow $1 init_var_run_t:sock_file write;
+ allow $1 init_var_run_t:sock_file write;
')
########################################
Index: refpolicy-2.20170326/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170326/policy/modules/kernel/devices.if
@@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## mounton sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of sysfs filesystem
## </summary>
## <param name="domain">
@@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',`
')
########################################
+## <summary>
+## mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
## <summary>
## Do not audit getting the attributes of sysfs filesystem
## </summary>
Index: refpolicy-2.20170326/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/kernel/kernel.if
+++ refpolicy-2.20170326/policy/modules/kernel/kernel.if
@@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
+## mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## remount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
@@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',`
########################################
## <summary>
+## mounton sysctl_kernel_t and sysctl_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_file',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+ allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## mounton proc_kmsg_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kmsg_file',`
+ gen_require(`
+ type proc_t, proc_kmsg_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## mounton sysctl_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dir',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
## Read filesystem sysctls.
## </summary>
## <param name="domain">
@@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',`
')
########################################
+## <summary>
+## mounton proc_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
## <summary>
## Send a kill signal to unlabeled processes.
## </summary>
Index: refpolicy-2.20170326/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170326/policy/modules/system/systemd.te
@@ -455,6 +459,8 @@ allow systemd_machined_t self:unix_dgram
manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+allow systemd_machined_t systemd_unit_t:service { start status stop };
+
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
@@ -510,10 +516,108 @@ miscfiles_read_localization(systemd_noti
########################################
#
-# Nspawn local policy
+# nspawn local policy
#
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
+
+allow systemd_nspawn_t systemd_journal_t:dir search;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+kernel_mount_proc(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_file(systemd_nspawn_t)
+kernel_mounton_kmsg_file(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dir(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_system_state(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+kernel_unconfined(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+dev_getattr_fs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+files_getattr_tmp_dirs(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_root(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+files_setattr_pid_dirs(systemd_nspawn_t)
+fs_getattr_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+fs_search_cgroup_dirs(systemd_nspawn_t)
+init_domtrans_script(systemd_nspawn_t)
+init_kill_initrc(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_search_run(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+miscfiles_manage_localization(systemd_nspawn_t)
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_mount_ptyfs(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+
+init_spec_domtrans_script(systemd_nspawn_t)
+
+tunable_policy(`systemd_nspawn_labeled_namespace',`
+ corecmd_exec_shell(systemd_nspawn_t)
+ dev_mounton(systemd_nspawn_t)
+ dev_setattr_generic_dirs(systemd_nspawn_t)
+ files_search_home(systemd_nspawn_t)
+ files_mounton_pid_dirs(systemd_nspawn_t)
+ fs_getattr_cgroup(systemd_nspawn_t)
+ fs_manage_cgroup_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_files(systemd_nspawn_t)
+ fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+ fs_mount_cgroup(systemd_nspawn_t)
+ fs_mounton_cgroup(systemd_nspawn_t)
+ fs_mounton_tmpfs(systemd_nspawn_t)
+ fs_mounton_tmpfs_files(systemd_nspawn_t)
+ fs_remount_cgroup(systemd_nspawn_t)
+ fs_search_tmpfs(systemd_nspawn_t)
+ fs_write_cgroup_files(systemd_nspawn_t)
+ init_domtrans(systemd_nspawn_t)
+ logging_search_logs(systemd_nspawn_t)
+ selinux_getattr_fs(systemd_nspawn_t)
+ selinux_search_fs(systemd_nspawn_t)
+ seutil_search_default_contexts(systemd_nspawn_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+ virt_manage_virt_content(systemd_nspawn_t)
+')
#######################################
#
Index: refpolicy-2.20170326/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20170326/policy/modules/kernel/files.if
@@ -6306,6 +6306,24 @@ interface(`files_dontaudit_getattr_pid_d
########################################
## <summary>
+## mounton a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of the /var/run directory.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170326/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20170326/policy/modules/kernel/filesystem.if
@@ -4142,6 +4142,24 @@ interface(`fs_mounton_tmpfs',`
########################################
## <summary>
+## Mount on tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of tmpfs directories.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170326/policy/modules/kernel/terminal.if
===================================================================
--- refpolicy-2.20170326.orig/policy/modules/kernel/terminal.if
+++ refpolicy-2.20170326/policy/modules/kernel/terminal.if
@@ -133,6 +133,24 @@ interface(`term_user_tty',`
########################################
## <summary>
+## mount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to mount it
+## </summary>
+## </param>
+#
+interface(`term_mount_ptyfs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Create a pty in the /dev/pts directory.
## </summary>
## <param name="domain">
On 03/29/2017 08:56 AM, Russell Coker via refpolicy wrote:
> This patch doesn't do everything that is needed to have systemd-nspawn work.
> But it does everything that is needed and which I have written in a clear and
> uncontroversial way. I think it's best to get this upstream now and then
> either have a separate discussion about the more difficult issues, or wait
> until I devise a way of solving those problems that's not too hacky.
>
> Who knows, maybe someone else will devise a brilliant solution to the remaining
> issues after this is accepted upstream. ;)
>
> Also there's a tiny patch for systemd_machined_t that is required by
> systemd_nspawn_t.
>
> Description: systemd-nspawn
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-03-29
I moved some lines and renamed some interfaces. All the rules should be
there, except for one. I removed the kernel_unconfined().
> Index: refpolicy-2.20170326/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170326/policy/modules/system/init.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## kill a initrc_t process
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_kill_initrc',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process sigkill;
> +')
> +
> +########################################
> +## <summary>
> ## Create a file type used for init scripts.
> ## </summary>
> ## <desc>
> @@ -828,6 +846,7 @@ interface(`init_dgram_send',`
>
> dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
> files_search_pids($1)
> + allow $1 init_t:unix_stream_socket getattr;
> ')
>
> ########################################
> @@ -1093,21 +1112,6 @@ interface(`init_list_var_lib_dirs',`
> ## Domain allowed access.
> ## </summary>
> ## </param>
> -## <param name="file_type">
> -## <summary>
> -## The type of the object to be created
> -## </summary>
> -## </param>
> -## <param name="object_class">
> -## <summary>
> -## The object class.
> -## </summary>
> -## </param>
> -## <param name="name" optional="true">
> -## <summary>
> -## The name of the object being created.
> -## </summary>
> -## </param>
> #
> interface(`init_manage_var_lib_files',`
> gen_require(`
> @@ -1657,14 +1661,14 @@ interface(`init_startstop_service',`
> #
> interface(`init_run_daemon',`
> gen_require(`
> - attribute init_script_file_type;
> + attribute init_script_file_type;
> role system_r;
> ')
>
> allow $2 system_r;
>
> - init_all_labeled_script_domtrans($1)
> - role_transition $2 init_script_file_type system_r;
> + init_all_labeled_script_domtrans($1)
> + role_transition $2 init_script_file_type system_r;
> ')
>
> ########################################
> @@ -2639,11 +2643,11 @@ interface(`init_delete_pid_files',`
> ## </param>
> #
> interface(`init_write_pid_socket',`
> - gen_require(`
> - type init_var_run_t;
> - ')
> + gen_require(`
> + type init_var_run_t;
> + ')
>
> - allow $1 init_var_run_t:sock_file write;
> + allow $1 init_var_run_t:sock_file write;
> ')
>
> ########################################
> Index: refpolicy-2.20170326/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170326/policy/modules/kernel/devices.if
> @@ -4046,6 +4046,24 @@ interface(`dev_getattr_sysfs_dirs',`
>
> ########################################
> ## <summary>
> +## mounton sysfs directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mounton_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of sysfs filesystem
> ## </summary>
> ## <param name="domain">
> @@ -4063,6 +4081,24 @@ interface(`dev_getattr_sysfs',`
> ')
>
> ########################################
> +## <summary>
> +## mount a sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_mount_sysfs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + allow $1 sysfs_t:filesystem mount;
> +')
> +
> +########################################
> ## <summary>
> ## Do not audit getting the attributes of sysfs filesystem
> ## </summary>
> Index: refpolicy-2.20170326/policy/modules/kernel/kernel.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/kernel/kernel.if
> +++ refpolicy-2.20170326/policy/modules/kernel/kernel.if
> @@ -846,6 +846,42 @@ interface(`kernel_unmount_proc',`
>
> ########################################
> ## <summary>
> +## mount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_mount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> +## remount the proc filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_remount_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:filesystem remount;
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of the proc filesystem.
> ## </summary>
> ## <param name="domain">
> @@ -2024,6 +2060,66 @@ interface(`kernel_search_fs_sysctls',`
>
> ########################################
> ## <summary>
> +## mounton sysctl_kernel_t and sysctl_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_kernel_sysctl_file',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_kernel_t;
> + ')
> +
> + allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
> + allow $1 { sysctl_t sysctl_kernel_t }:file { getattr mounton };
> +')
> +
> +########################################
> +## <summary>
> +## mounton proc_kmsg_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_kmsg_file',`
> + gen_require(`
> + type proc_t, proc_kmsg_t;
> + ')
> +
> + allow $1 proc_t:dir list_dir_perms;
> + allow $1 proc_kmsg_t:file { getattr mounton };
> +')
> +
> +########################################
> +## <summary>
> +## mounton sysctl_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_sysctl_dir',`
> + gen_require(`
> + type proc_t, sysctl_t;
> + ')
> +
> + allow $1 proc_t:dir list_dir_perms;
> + allow $1 sysctl_t:dir { getattr mounton };
> +')
> +
> +########################################
> +## <summary>
> ## Read filesystem sysctls.
> ## </summary>
> ## <param name="domain">
> @@ -2216,6 +2312,25 @@ interface(`kernel_rw_all_sysctls',`
> ')
>
> ########################################
> +## <summary>
> +## mounton proc_t dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_mounton_proc',`
> + gen_require(`
> + type proc_t;
> + ')
> +
> + allow $1 proc_t:dir mounton;
> +')
> +
> +########################################
> ## <summary>
> ## Send a kill signal to unlabeled processes.
> ## </summary>
> Index: refpolicy-2.20170326/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170326/policy/modules/system/systemd.te
> @@ -455,6 +459,8 @@ allow systemd_machined_t self:unix_dgram
> manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
> allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
>
> +allow systemd_machined_t systemd_unit_t:service { start status stop };
> +
> kernel_read_kernel_sysctls(systemd_machined_t)
> kernel_read_system_state(systemd_machined_t)
>
> @@ -510,10 +516,108 @@ miscfiles_read_localization(systemd_noti
>
> ########################################
> #
> -# Nspawn local policy
> +# nspawn local policy
> #
>
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
> +allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
> +allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
> +allow systemd_nspawn_t self:capability2 wake_alarm;
> +allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> +
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
> +
> +allow systemd_nspawn_t systemd_journal_t:dir search;
> +
> +allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
> +allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
> +
> +# for /run/systemd/nspawn/incoming in chroot
> +allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
> +
> +kernel_mount_proc(systemd_nspawn_t)
> +kernel_mounton_kernel_sysctl_file(systemd_nspawn_t)
> +kernel_mounton_kmsg_file(systemd_nspawn_t)
> +kernel_mounton_proc(systemd_nspawn_t)
> +kernel_mounton_sysctl_dir(systemd_nspawn_t)
> +kernel_read_kernel_sysctls(systemd_nspawn_t)
> +kernel_read_system_state(systemd_nspawn_t)
> +kernel_remount_proc(systemd_nspawn_t)
> +kernel_unconfined(systemd_nspawn_t)
> +
> +corecmd_exec_shell(systemd_nspawn_t)
> +corecmd_search_bin(systemd_nspawn_t)
> +corenet_rw_tun_tap_dev(systemd_nspawn_t)
> +dev_getattr_fs(systemd_nspawn_t)
> +dev_manage_sysfs_dirs(systemd_nspawn_t)
> +dev_mounton_sysfs_dirs(systemd_nspawn_t)
> +dev_mount_sysfs(systemd_nspawn_t)
> +dev_read_rand(systemd_nspawn_t)
> +dev_read_urand(systemd_nspawn_t)
> +files_getattr_tmp_dirs(systemd_nspawn_t)
> +files_manage_etc_files(systemd_nspawn_t)
> +files_manage_mnt_dirs(systemd_nspawn_t)
> +files_mounton_mnt(systemd_nspawn_t)
> +files_mounton_root(systemd_nspawn_t)
> +files_mounton_tmp(systemd_nspawn_t)
> +files_setattr_pid_dirs(systemd_nspawn_t)
> +fs_getattr_tmpfs(systemd_nspawn_t)
> +fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> +fs_mount_tmpfs(systemd_nspawn_t)
> +fs_remount_tmpfs(systemd_nspawn_t)
> +fs_search_cgroup_dirs(systemd_nspawn_t)
> +init_domtrans_script(systemd_nspawn_t)
> +init_kill_initrc(systemd_nspawn_t)
> +init_read_state(systemd_nspawn_t)
> +init_search_run(systemd_nspawn_t)
> +init_write_pid_socket(systemd_nspawn_t)
> +miscfiles_manage_localization(systemd_nspawn_t)
> +# for writing inside chroot
> +sysnet_manage_config(systemd_nspawn_t)
> +
> +term_getattr_generic_ptys(systemd_nspawn_t)
> +term_getattr_pty_fs(systemd_nspawn_t)
> +term_mount_ptyfs(systemd_nspawn_t)
> +term_search_ptys(systemd_nspawn_t)
> +term_setattr_generic_ptys(systemd_nspawn_t)
> +term_use_ptmx(systemd_nspawn_t)
> +userdom_manage_user_home_dirs(systemd_nspawn_t)
> +
> +init_spec_domtrans_script(systemd_nspawn_t)
> +
> +tunable_policy(`systemd_nspawn_labeled_namespace',`
> + corecmd_exec_shell(systemd_nspawn_t)
> + dev_mounton(systemd_nspawn_t)
> + dev_setattr_generic_dirs(systemd_nspawn_t)
> + files_search_home(systemd_nspawn_t)
> + files_mounton_pid_dirs(systemd_nspawn_t)
> + fs_getattr_cgroup(systemd_nspawn_t)
> + fs_manage_cgroup_dirs(systemd_nspawn_t)
> + fs_manage_tmpfs_dirs(systemd_nspawn_t)
> + fs_manage_tmpfs_files(systemd_nspawn_t)
> + fs_manage_tmpfs_symlinks(systemd_nspawn_t)
> + fs_mount_cgroup(systemd_nspawn_t)
> + fs_mounton_cgroup(systemd_nspawn_t)
> + fs_mounton_tmpfs(systemd_nspawn_t)
> + fs_mounton_tmpfs_files(systemd_nspawn_t)
> + fs_remount_cgroup(systemd_nspawn_t)
> + fs_search_tmpfs(systemd_nspawn_t)
> + fs_write_cgroup_files(systemd_nspawn_t)
> + init_domtrans(systemd_nspawn_t)
> + logging_search_logs(systemd_nspawn_t)
> + selinux_getattr_fs(systemd_nspawn_t)
> + selinux_search_fs(systemd_nspawn_t)
> + seutil_search_default_contexts(systemd_nspawn_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_nspawn_t)
> +')
> +
> +optional_policy(`
> + virt_manage_virt_content(systemd_nspawn_t)
> +')
>
> #######################################
> #
> Index: refpolicy-2.20170326/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20170326/policy/modules/kernel/files.if
> @@ -6306,6 +6306,24 @@ interface(`files_dontaudit_getattr_pid_d
>
> ########################################
> ## <summary>
> +## mounton a /var/run directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_mounton_pid_dirs',`
> + gen_require(`
> + type var_run_t;
> + ')
> +
> + allow $1 var_run_t:dir mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the /var/run directory.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170326/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20170326/policy/modules/kernel/filesystem.if
> @@ -4142,6 +4142,24 @@ interface(`fs_mounton_tmpfs',`
>
> ########################################
> ## <summary>
> +## Mount on tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_mounton_tmpfs_files',`
> + gen_require(`
> + type tmpfs_t;
> + ')
> +
> + allow $1 tmpfs_t:file mounton;
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of tmpfs directories.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170326/policy/modules/kernel/terminal.if
> ===================================================================
> --- refpolicy-2.20170326.orig/policy/modules/kernel/terminal.if
> +++ refpolicy-2.20170326/policy/modules/kernel/terminal.if
> @@ -133,6 +133,24 @@ interface(`term_user_tty',`
>
> ########################################
> ## <summary>
> +## mount a devpts_t filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process to mount it
> +## </summary>
> +## </param>
> +#
> +interface(`term_mount_ptyfs',`
> + gen_require(`
> + type devpts_t;
> + ')
> +
> + allow $1 devpts_t:filesystem mount;
> +')
> +
> +########################################
> +## <summary>
> ## Create a pty in the /dev/pts directory.
> ## </summary>
> ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito