commit: 1e529853d647536648b7a36b39f234280ed580ec
Author: Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Feb 4 15:19:40 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e529853
Fix setting-up sandbox environment for systemd-networkd
Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:
avc: denied { mounton } for pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1
Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.
Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 427ae600..2b50638b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -179,6 +179,7 @@ init_system_domain(systemd_networkd_t,
systemd_networkd_exec_t)
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t)
+init_mountpoint(systemd_networkd_runtime_t)
type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)
