[refpolicy] [PATCH 3/4] Add policy for systemd-networkd

krzysztof.a.nowicki at gmail.com krzysztof.a.nowicki at gmail.com
Sun May 14 15:24:02 UTC 2017


From: Krzysztof Nowicki <krissn at op.pl>

This includes policy for socket-activation through the netlink route
socket, which lays some ground for generic API for systemd socket-activation
policies as suggested by Dominick Grift.
---
 policy/modules/system/init.if    | 19 +++++++++++++++++
 policy/modules/system/init.te    |  3 +++
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 46 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 70 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9428453..af95897 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2940,6 +2940,25 @@ interface(`init_reload_all_units',`
 
 ########################################
 ## <summary>
+##      Allow subject domain to be socket-activated by systemd
+##	through a netlink route socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Subject domain
+##      </summary>
+## </param>
+#
+interface(`init_netlink_route_socket_activated_subj_type',`
+	gen_require(`
+		attribute systemd_netlink_route_socket_activated_subj_type;
+	')
+
+	typeattribute $1 systemd_netlink_route_socket_activated_subj_type;
+')
+
+########################################
+## <summary>
 ##      Allow unconfined access to send instructions to init
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a64783..061bb29 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -28,6 +28,7 @@ attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
 attribute systemdunit;
 attribute initrc_transition_domain;
+attribute systemd_netlink_route_socket_activated_subj_type;
 
 # Mark process types as daemons
 attribute daemon;
@@ -246,6 +247,8 @@ ifdef(`init_systemd',`
 	allow systemprocess init_t:unix_dgram_socket sendto;
 	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
 
+	allow init_t systemd_netlink_route_socket_activated_subj_type:netlink_route_socket create_socket_perms;
+
 	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 82307e3..d7fd19b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -22,6 +22,7 @@
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 
 # Systemd generators
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_generator_gpt_exec_t,s0)
@@ -56,6 +57,7 @@
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
 
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_runtime_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2cbdba2..540cd4b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -127,6 +127,13 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
 type systemd_resolved_var_run_t;
 files_pid_file(systemd_resolved_var_run_t)
 
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
 type systemd_run_t;
 type systemd_run_exec_t;
 init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -752,6 +759,45 @@ optional_policy(`
 
 #########################################
 #
+# Networkd local policy
+#
+
+allow systemd_networkd_t self:process { getcap setcap };
+allow systemd_networkd_t self:capability { net_admin dac_override setgid setuid chown setpcap net_raw };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket { create_socket_perms };
+allow systemd_networkd_t self:netlink_route_socket { rw_netlink_socket_perms };
+allow systemd_networkd_t self:unix_dgram_socket { create_socket_perms };
+allow systemd_networkd_t self:udp_socket { create_socket_perms };
+allow systemd_networkd_t self:packet_socket { create_socket_perms };
+allow systemd_networkd_t self:rawip_socket { create_socket_perms };
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+files_read_etc_files(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_netlink_route_socket_activated_subj_type(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+#udev_search_pids(systemd_networkd_t)
+#udev_read_pid_files(systemd_networkd_t)
+udev_read_db(systemd_networkd_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_networkd_t)
+	dbus_connect_system_bus(systemd_networkd_t)
+')
+
+#########################################
+#
 # Sessions local policy
 #
 
-- 
2.10.2



More information about the refpolicy mailing list