commit: d5789558424072fad44360f6b4f2e05c2b1200dd
Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Aug 12 03:09:52 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5789558
systemd: add policy for systemd-nsresourced
The systemd-nsresourced service was added in systemd v256[1]. Add policy
for this service and allow all domains to connect to it over unix
socket.
Fixes:
avc: denied { connectto } for pid=325 comm="avahi-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=327 comm="dbus-daemon"
name="io.systemd.NamespaceResource" dev="tmpfs" ino=54
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1
avc: denied { connectto } for pid=327 comm="dbus-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=200 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=198 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
[1]
https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec
Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/avahi.te | 4 ++++
policy/modules/services/bind.te | 4 ++++
policy/modules/services/dbus.te | 2 ++
policy/modules/services/postfix.te | 8 ++++++++
policy/modules/system/systemd.fc | 4 ++++
policy/modules/system/systemd.if | 21 +++++++++++++++++++++
policy/modules/system/systemd.te | 36 ++++++++++++++++++++++++++++++++++++
7 files changed, 79 insertions(+)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 5cdfa08a4..da7473536 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -95,6 +95,10 @@ sysnet_etc_filetrans_config(avahi_t)
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
+ifdef(`init_systemd',`
+ systemd_stream_connect_nsresourced(avahi_t)
+')
+
optional_policy(`
dbus_system_domain(avahi_t, avahi_exec_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0db949185..a3336c28c 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -168,6 +168,10 @@ miscfiles_read_generic_tls_privkey(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
+ifdef(`init_systemd',`
+ systemd_stream_connect_nsresourced(named_t)
+')
+
tunable_policy(`named_tcp_bind_http_port',`
corenet_sendrecv_http_server_packets(named_t)
corenet_tcp_bind_http_port(named_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index fcb45ccd9..dceeafff8 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -221,6 +221,8 @@ ifdef(`init_systemd', `
init_start_all_units(system_dbusd_t)
init_stop_all_units(system_dbusd_t)
+ systemd_stream_connect_nsresourced(system_dbusd_t)
+
# Recent versions of dbus are started as Type=notify
systemd_write_notify_socket(system_dbusd_t)
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 071dc7484..352b090ea 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -575,6 +575,10 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir
list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t,
postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t,
postfix_spool_maildrop_t)
+ifdef(`init_systemd',`
+ systemd_stream_connect_nsresourced(postfix_pickup_t)
+')
+
optional_policy(`
dbus_system_bus_client(postfix_pickup_t)
init_dbus_chat(postfix_pickup_t)
@@ -729,6 +733,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
corecmd_exec_bin(postfix_qmgr_t)
+ifdef(`init_systemd',`
+ systemd_stream_connect_nsresourced(postfix_qmgr_t)
+')
+
optional_policy(`
dbus_send_system_bus(postfix_qmgr_t)
dbus_system_bus_client(postfix_qmgr_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index dc41e9971..f42782e53 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -41,6 +41,8 @@
/usr/lib/systemd/systemd-modules-load --
gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-networkd --
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-network-generator --
gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourced --
gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourcework --
gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
/usr/lib/systemd/systemd-pcrextend --
gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
/usr/lib/systemd/systemd-pcrlock --
gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
/usr/lib/systemd/systemd-pcrphase --
gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
@@ -119,6 +121,8 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/run/systemd/nspawn(/.*)?
gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
/run/systemd/machines(/.*)?
gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
/run/systemd/netif(/.*)?
gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/nsresource(/.*)?
gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
+/run/systemd/io\.systemd\.NamespaceResource -s
gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
ifdef(`init_systemd',`
/run/tmpfiles\.d -d
gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b9dbd97cc..e62e8344a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2234,6 +2234,27 @@ interface(`systemd_read_networkd_runtime',`
read_files_pattern($1, systemd_networkd_runtime_t,
systemd_networkd_runtime_t)
')
+#######################################
+## <summary>
+## Connect to systemd-nsresourced over
+## /run/systemd/io.systemd.NamespaceResource .
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_stream_connect_nsresourced', `
+ gen_require(`
+ type systemd_nsresourced_t;
+ type systemd_nsresourced_runtime_t;
+ ')
+
+ init_search_runtime($1)
+ stream_connect_pattern($1, systemd_nsresourced_runtime_t,
systemd_nsresourced_runtime_t, systemd_nsresourced_t)
+')
+
########################################
## <summary>
## Allow systemd_logind_t to read process state for cgroup file
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5725d7c76..2f9d12fcb 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -233,6 +233,13 @@ files_runtime_file(systemd_nspawn_runtime_t)
type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)
+type systemd_nsresourced_t;
+type systemd_nsresourced_exec_t;
+init_daemon_domain(systemd_nsresourced_t, systemd_nsresourced_exec_t)
+
+type systemd_nsresourced_runtime_t;
+files_runtime_file(systemd_nsresourced_runtime_t)
+
type systemd_pcrphase_t;
type systemd_pcrphase_exec_t;
init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
@@ -1514,6 +1521,31 @@ optional_policy(`
virt_manage_virt_content(systemd_nspawn_t)
')
+#########################################
+#
+# nsresourced local policy
+#
+
+allow systemd_nsresourced_t self:capability { sys_resource };
+allow systemd_nsresourced_t self:process { getcap signal };
+allow systemd_nsresourced_t systemd_nsresourced_exec_t:file execute_no_trans;
+
+manage_dirs_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
systemd_nsresourced_runtime_t)
+manage_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
systemd_nsresourced_runtime_t)
+manage_sock_files_pattern(systemd_nsresourced_t,
systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
dir)
+
+fs_getattr_cgroup(systemd_nsresourced_t)
+
+# for /proc/1/environ
+init_read_state(systemd_nsresourced_t)
+
+kernel_read_kernel_sysctls(systemd_nsresourced_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_nsresourced_t)
+
+systemd_log_parse_environment(systemd_nsresourced_t)
+
#######################################
#
# systemd_passwd_agent_t local policy
@@ -1831,6 +1863,8 @@ seutil_read_file_contexts(systemd_sysusers_t)
systemd_log_parse_environment(systemd_sysusers_t)
+systemd_stream_connect_nsresourced(systemd_sysusers_t)
+
#########################################
#
# Tmpfiles local policy
@@ -2133,6 +2167,8 @@ seutil_search_default_contexts(systemd_userdbd_t)
systemd_log_parse_environment(systemd_userdbd_t)
+systemd_stream_connect_nsresourced(systemd_userdbd_t)
+
#########################################
#
# systemd-user-runtime-dir local policy
