commit: c17970cb2afae09ea21a3630bbd02f7f0d402844
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Oct 11 14:59:08 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:50 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c17970cb
policy for systemd-networkd
Policy needed for systemd-networkd to function. This is based on a patch from
krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to
him via email a while ago about me picking up the patch). He was too busy to
update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please
comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/system/init.te | 1 +
policy/modules/system/sysnetwork.fc | 2 +
policy/modules/system/systemd.fc | 3 +
policy/modules/system/systemd.if | 115 ++++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 70 ++++++++++++++++++++++
5 files changed, 191 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 350554d3..02a9e3b8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -329,6 +329,7 @@ ifdef(`init_systemd',`
files_create_all_pid_sockets(init_t)
files_create_all_spool_sockets(init_t)
files_create_lock_dirs(init_t)
+ systemd_rw_networkd_netlink_route_sockets(init_t)
files_delete_all_pids(init_t)
files_delete_all_spool_sockets(init_t)
files_exec_generic_pid_files(init_t)
diff --git a/policy/modules/system/sysnetwork.fc
b/policy/modules/system/sysnetwork.fc
index c71281bd..3b532567 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf --
gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c697a1c9..392b00b9 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -21,6 +21,7 @@
/usr/lib/systemd/systemd-localed --
gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined --
gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd --
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved --
gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions --
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -34,6 +35,7 @@
/usr/lib/systemd/system/[^/]*suspend.* --
gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/systemd-backlight.* --
gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* --
gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+/usr/lib/systemd/system/systemd-networkd.*
gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
/var/lib/systemd/backlight(/.*)?
gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)?
gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
@@ -50,6 +52,7 @@
/run/systemd/inhibit(/.*)?
gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)?
gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)?
gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)?
gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
ifdef(`init_systemd',`
/run/tmpfiles\.d -d
gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 69669a1a..8f914837 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -390,6 +390,121 @@ interface(`systemd_relabelto_journal_files',`
########################################
## <summary>
+## Allow domain to read systemd_networkd_t unit files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_networkd_units',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ init_search_units($1)
+ list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+ read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+## Allow domain to create/manage systemd_networkd_t unit files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_networkd_units',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ ')
+
+ init_search_units($1)
+ manage_dirs_pattern($1, systemd_networkd_unit_t,
systemd_networkd_unit_t)
+ manage_files_pattern($1, systemd_networkd_unit_t,
systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+## Allow specified domain to start systemd-networkd units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_startstop_networkd',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ class service { start stop };
+ ')
+
+ allow $1 systemd_networkd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+## Allow specified domain to get status of systemd-networkd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_networkd',`
+ gen_require(`
+ type systemd_networkd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_networkd_unit_t:service status;
+')
+
+#######################################
+## <summary>
+## Relabel systemd_networkd tun socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabelfrom_networkd_tun_sockets',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ allow $1 systemd_networkd_t:tun_socket relabelfrom;
+')
+
+#######################################
+## <summary>
+## Read/Write from systemd_networkd netlink route socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_rw_networkd_netlink_route_sockets',`
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ allow $1 systemd_networkd_t:netlink_route_socket
client_stream_socket_perms;
+')
+
+
+########################################
+## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74cfe704..56aa9198 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_unit_t;
+init_unit_file(systemd_networkd_unit_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
type systemd_notify_t;
type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -516,6 +526,66 @@ optional_policy(`
########################################
#
+# networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override fowner net_admin
net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket
create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms
nlmsg_read nlmsg_write };
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap setfscreate };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom
relabelto };
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+corecmd_bin_entry_type(systemd_networkd_t)
+corecmd_exec_bin(systemd_networkd_t)
+
+corenet_rw_tun_tap_dev(systemd_networkd_t)
+
+dev_read_urand(systemd_networkd_t)
+dev_read_sysfs(systemd_networkd_t)
+dev_write_kmsg(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+auth_use_nsswitch(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_read_state(systemd_networkd_t)
+
+logging_send_syslog_msg(systemd_networkd_t)
+
+miscfiles_read_localization(systemd_networkd_t)
+
+sysnet_read_config(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_networkd_t)
+ dbus_connect_system_bus(systemd_networkd_t)
+')
+
+optional_policy(`
+ udev_read_db(systemd_networkd_t)
+ udev_read_pid_files(systemd_networkd_t)
+')
+
+########################################
+#
# systemd_notify local policy
#
allow systemd_notify_t self:capability chown;
