The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
filesystems.
Allows systemd_backlight_t to search /var/lib.
Index: refpolicy-2.20170903/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170903.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170903/policy/modules/system/systemd.te
@@ -116,6 +116,9 @@ init_system_domain(systemd_nspawn_t, sys
type systemd_nspawn_var_run_t;
files_pid_file(systemd_nspawn_var_run_t)
+type systemd_nspawn_tmp_t;
+files_tmp_file(systemd_nspawn_tmp_t)
+
type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -182,6 +185,8 @@ files_read_etc_files(systemd_backlight_t
# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)
+files_search_var_lib(systemd_backlight_t)
+
#######################################
#
# Binfmt local policy
@@ -534,6 +539,10 @@ allow systemd_nspawn_t systemd_nspawn_va
allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
+allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
+
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
@@ -615,6 +624,7 @@ tunable_policy(`systemd_nspawn_labeled_n
fs_mounton_tmpfs_files(systemd_nspawn_t)
fs_remount_cgroup(systemd_nspawn_t)
fs_search_tmpfs(systemd_nspawn_t)
+ fs_unmount_cgroup(systemd_nspawn_t)
fs_write_cgroup_files(systemd_nspawn_t)
selinux_getattr_fs(systemd_nspawn_t)
On 09/05/2017 01:38 AM, Russell Coker via refpolicy wrote:
> The following patch allows systemd_nspawn_t to create directories under /tmp
> and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup
> filesystems.
>
> Allows systemd_backlight_t to search /var/lib.
>
> Index: refpolicy-2.20170903/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170903.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170903/policy/modules/system/systemd.te
> @@ -116,6 +116,9 @@ init_system_domain(systemd_nspawn_t, sys
> type systemd_nspawn_var_run_t;
> files_pid_file(systemd_nspawn_var_run_t)
>
> +type systemd_nspawn_tmp_t;
> +files_tmp_file(systemd_nspawn_tmp_t)
> +
> type systemd_resolved_t;
> type systemd_resolved_exec_t;
> init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
> @@ -182,6 +185,8 @@ files_read_etc_files(systemd_backlight_t
> # for /run/udev/data/+backlight*
> udev_read_pid_files(systemd_backlight_t)
>
> +files_search_var_lib(systemd_backlight_t)
> +
> #######################################
> #
> # Binfmt local policy
> @@ -534,6 +539,10 @@ allow systemd_nspawn_t systemd_nspawn_va
> allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
> +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
> +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
> +
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
>
> @@ -615,6 +624,7 @@ tunable_policy(`systemd_nspawn_labeled_n
> fs_mounton_tmpfs_files(systemd_nspawn_t)
> fs_remount_cgroup(systemd_nspawn_t)
> fs_search_tmpfs(systemd_nspawn_t)
> + fs_unmount_cgroup(systemd_nspawn_t)
> fs_write_cgroup_files(systemd_nspawn_t)
>
> selinux_getattr_fs(systemd_nspawn_t)
Merged.
--
Chris PeBenito