2017-10-09 21:22:58

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] policy for systemd-networkd

Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.

I hope I have ordering of interfaces correctly in systemd.if but please comment if something is off and I will correct them.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.te | 1 +
policy/modules/system/sysnetwork.fc | 2 +
policy/modules/system/systemd.fc | 3 +
policy/modules/system/systemd.if | 116 ++++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 70 ++++++++++++++++++++++
5 files changed, 192 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index df5e1611..2d2eb57e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -325,6 +325,7 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
systemd_list_tmpfiles_conf(init_t)
+ systemd_networkd_use_sock(init_t)
systemd_relabelto_tmpfiles_conf_dirs(init_t)
systemd_relabelto_tmpfiles_conf_files(init_t)
systemd_relabelto_journal_dirs(init_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index ae4fbea2..91fb5160 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)

+/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 57944e1d..56e9bc13 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)

@@ -36,6 +37,7 @@
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)

/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
@@ -52,6 +54,7 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)

/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 69669a1a..104eedc3 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -390,6 +390,122 @@ interface(`systemd_relabelto_journal_files',`

########################################
## <summary>
+## Allow domain to read systemd_networkd_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_networkd_files',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ init_search_units($1)
+ list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+ read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+## Allow domain to create/manage systemd_networkd_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_networkd_files',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ ')
+
+ init_search_units($1)
+ manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+ manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+## Allow specified domain to start systemd-networkd units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_startstop_networkd_units',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 systemd_networkd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+## Allow specified domain to start systemd-networkd units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_networkd_units',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_networkd_unit_t:service status;
+')
+
+#######################################
+## <summary>
+## Relabel systemd_networkd tun socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_networkd_attach_tun_iface',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ allow $1 systemd_networkd_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+#######################################
+## <summary>
+## Relabel systemd_networkd tun socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_networkd_use_sock',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
+')
+
+
+########################################
+## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 166bd4dd..ffa62563 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")

+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_unit_t;
+init_unit_file(systemd_networkd_unit_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -516,6 +526,66 @@ optional_policy(`

########################################
#
+# networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap setfscreate };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+auth_use_nsswitch(systemd_networkd_t)
+
+corecmd_bin_entry_type(systemd_networkd_t)
+corecmd_exec_bin(systemd_networkd_t)
+
+corenet_rw_tun_tap_dev(systemd_networkd_t)
+
+dev_read_urand(systemd_networkd_t)
+dev_read_sysfs(systemd_networkd_t)
+dev_write_kmsg(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_read_state(systemd_networkd_t)
+
+logging_send_syslog_msg(systemd_networkd_t)
+
+miscfiles_read_localization(systemd_networkd_t)
+
+sysnet_read_config(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_networkd_t)
+ dbus_connect_system_bus(systemd_networkd_t)
+')
+
+optional_policy(`
+ udev_read_db(systemd_networkd_t)
+ udev_read_pid_files(systemd_networkd_t)
+')
+
+########################################
+#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
--
2.13.5


2017-10-11 00:31:35

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] policy for systemd-networkd

On 10/09/2017 05:22 PM, David Sugar via refpolicy wrote:
> Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
>
> I hope I have ordering of interfaces correctly in systemd.if but please comment if something is off and I will correct them.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.te | 1 +
> policy/modules/system/sysnetwork.fc | 2 +
> policy/modules/system/systemd.fc | 3 +
> policy/modules/system/systemd.if | 116 ++++++++++++++++++++++++++++++++++++
> policy/modules/system/systemd.te | 70 ++++++++++++++++++++++
> 5 files changed, 192 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index df5e1611..2d2eb57e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -325,6 +325,7 @@ ifdef(`init_systemd',`
> systemd_manage_passwd_runtime_symlinks(init_t)
> systemd_use_passwd_agent(init_t)
> systemd_list_tmpfiles_conf(init_t)
> + systemd_networkd_use_sock(init_t)
> systemd_relabelto_tmpfiles_conf_dirs(init_t)
> systemd_relabelto_tmpfiles_conf_files(init_t)
> systemd_relabelto_journal_dirs(init_t)
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index ae4fbea2..91fb5160 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -24,6 +24,8 @@ ifdef(`distro_debian',`
> /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
> /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
>
> +/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +
> ifdef(`distro_redhat',`
> /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
> index 57944e1d..56e9bc13 100644
> --- a/policy/modules/system/systemd.fc
> +++ b/policy/modules/system/systemd.fc
> @@ -23,6 +23,7 @@
> /usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
> /usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
> /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
> +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
> /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
> /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
>
> @@ -36,6 +37,7 @@
> /usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
> /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
> /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
> +/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
>
> /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
> /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
> @@ -52,6 +54,7 @@
> /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
> /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
> /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
> +/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
>
> /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
> /run/tmpfiles\.d/.* <<none>>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 69669a1a..104eedc3 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -390,6 +390,122 @@ interface(`systemd_relabelto_journal_files',`
>
> ########################################
> ## <summary>
> +## Allow domain to read systemd_networkd_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_networkd_files',`
> + gen_require(`
> + type systemd_networkd_t;
> + ')
> +
> + init_search_units($1)
> + list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> + read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to create/manage systemd_networkd_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_manage_networkd_files',`

This and the above interface should be like systemd_manage_networkd_units


> + gen_require(`
> + type systemd_networkd_unit_t;
> + ')
> +
> + init_search_units($1)
> + manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> + manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to start systemd-networkd units
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_startstop_networkd_units',`

systemd_startstop_networkd


> + gen_require(`
> + type systemd_networkd_unit_t;
> + class service { start stop };
> + ')
> +
> + allow $1 systemd_networkd_unit_t:service { start stop };
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to start systemd-networkd units
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_status_networkd_units',`

systemd_status_networkd


> + gen_require(`
> + type systemd_networkd_unit_t;
> + class service status;
> + ')
> +
> + allow $1 systemd_networkd_unit_t:service status;
> +')
> +
> +#######################################
> +## <summary>
> +## Relabel systemd_networkd tun socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_networkd_attach_tun_iface',`
> + gen_require(`
> + type systemd_networkd_t;
> + ')
> +
> + allow $1 systemd_networkd_t:tun_socket relabelfrom;

Should be systemd_relabelfrom_networkd_tun_sockets, without the below rule.

> + allow $1 self:tun_socket relabelto;
> +')
> +
> +#######################################
> +## <summary>
> +## Relabel systemd_networkd tun socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_networkd_use_sock',`
> + gen_require(`
> + type systemd_networkd_t;
> + ')
> +
> + allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
> +')

systemd_rw_networkd_netlink_route_sockets

> +
> +
> +########################################
> +## <summary>
> ## Allow systemd_logind_t to read process state for cgroup file
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 166bd4dd..ffa62563 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
> files_pid_file(systemd_machined_var_run_t)
> init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
>
> +type systemd_networkd_t;
> +type systemd_networkd_exec_t;
> +init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
> +
> +type systemd_networkd_unit_t;
> +init_unit_file(systemd_networkd_unit_t)
> +
> +type systemd_networkd_var_run_t;
> +files_pid_file(systemd_networkd_var_run_t)
> +
> type systemd_notify_t;
> type systemd_notify_exec_t;
> init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
> @@ -516,6 +526,66 @@ optional_policy(`
>
> ########################################
> #
> +# networkd local policy
> +#
> +
> +allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
> +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow systemd_networkd_t self:packet_socket create_socket_perms;
> +allow systemd_networkd_t self:process { getcap setcap setfscreate };
> +allow systemd_networkd_t self:rawip_socket create_socket_perms;
> +allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> +allow systemd_networkd_t self:udp_socket create_socket_perms;
> +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
> +
> +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> +
> +kernel_dgram_send(systemd_networkd_t)
> +kernel_read_system_state(systemd_networkd_t)
> +kernel_read_kernel_sysctls(systemd_networkd_t)
> +kernel_read_network_state(systemd_networkd_t)
> +kernel_request_load_module(systemd_networkd_t)
> +kernel_rw_net_sysctls(systemd_networkd_t)
> +
> +auth_use_nsswitch(systemd_networkd_t)

This should be between the files and init calls below


> +corecmd_bin_entry_type(systemd_networkd_t)
> +corecmd_exec_bin(systemd_networkd_t)
> +
> +corenet_rw_tun_tap_dev(systemd_networkd_t)
> +
> +dev_read_urand(systemd_networkd_t)
> +dev_read_sysfs(systemd_networkd_t)
> +dev_write_kmsg(systemd_networkd_t)
> +
> +files_read_etc_files(systemd_networkd_t)
> +
> +init_dgram_send(systemd_networkd_t)
> +init_read_state(systemd_networkd_t)
> +
> +logging_send_syslog_msg(systemd_networkd_t)
> +
> +miscfiles_read_localization(systemd_networkd_t)
> +
> +sysnet_read_config(systemd_networkd_t)
> +
> +systemd_log_parse_environment(systemd_networkd_t)
> +
> +optional_policy(`
> + dbus_system_bus_client(systemd_networkd_t)
> + dbus_connect_system_bus(systemd_networkd_t)
> +')
> +
> +optional_policy(`
> + udev_read_db(systemd_networkd_t)
> + udev_read_pid_files(systemd_networkd_t)
> +')
> +
> +########################################
> +#
> # systemd_notify local policy
> #
> allow systemd_notify_t self:capability chown;
>


--
Chris PeBenito