commit: 3fdae66e37713cc8633303fdd3f09032b422b095 Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Mon Jan 11 18:14:55 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Jan 30 17:16:56 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3fdae66e
Allow systemd services to use PrivateNetwork feature systemd creates a new network namespace for services which are using PrivateNetwork=yes. In the implementation, systemd uses a socketpair as a storage buffer for the namespace reference file descriptor (c.f. https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660). One end of this socketpair is locked (hence the need of "lock" access to self:unix_dgram_socket for init_t) while systemd opens /proc/self/ns/net, which lives in nsfs. While at it, add filesystem_type attribute to nsfs_t. policy/modules/kernel/filesystem.if | 17 +++++++++++++++++ policy/modules/kernel/filesystem.te | 1 + policy/modules/system/init.te | 3 +++ 3 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 0db8233..b9b30da 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## <summary> +## Read nsfs inodes (e.g. /proc/pid/ns/uts) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_read_nsfs_files',` + gen_require(` + type nsfs_t; + ') + + allow $1 nsfs_t:file read_file_perms; +') +######################################## +## <summary> ## Getattr on pstore dirs. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 89de79d..04ea6b6 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -127,6 +127,7 @@ fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type nsfs_t; +fs_type(nsfs_t) genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) type oprofilefs_t; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a7fa7c0..4006e4f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -199,6 +199,7 @@ ifdef(`init_systemd',` allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; allow init_t self:netlink_selinux_socket create_socket_perms; + allow init_t self:unix_dgram_socket lock; manage_files_pattern(init_t, init_var_run_t, init_var_run_t) manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) @@ -260,6 +261,8 @@ ifdef(`init_systemd',` # mount-setup fs_unmount_autofs(init_t) fs_getattr_pstore_dirs(init_t) + # for network namespaces + fs_read_nsfs_files(init_t) # systemd_socket_activated policy mls_socket_write_all_levels(init_t)