From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
Date: Mon, 11 Jan 2016 13:27:23 -0500 [thread overview]
Message-ID: <5693F40B.9070102@tresys.com> (raw)
In-Reply-To: <1452536095-8579-1-git-send-email-nicolas.iooss@m4x.org>
On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
> systemd creates a new network namespace for services which are using
> PrivateNetwork=yes.
>
> In the implementation, systemd uses a socketpair as a storage buffer for
> the namespace reference file descriptor (c.f.
> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
> One end of this socketpair is locked (hence the need of "lock" access to
> self:unix_dgram_socket for init_t) while systemd opens
> /proc/self/ns/net, which lives in nsfs.
>
> While at it, add filesystem_type attribute to nsfs_t.
Merged.
> ---
> policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
> policy/modules/kernel/filesystem.te | 1 +
> policy/modules/system/init.te | 3 +++
> 3 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 99ad71f926b4..3455c2270942 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>
> ########################################
> ## <summary>
> +## Read nsfs inodes (e.g. /proc/pid/ns/uts)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_read_nsfs_files',`
> + gen_require(`
> + type nsfs_t;
> + ')
> +
> + allow $1 nsfs_t:file read_file_perms;
> +')
> +########################################
> +## <summary>
> ## Getattr on pstore dirs.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 920527ca9995..ae44d92f4f10 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>
> type nsfs_t;
> +fs_type(nsfs_t)
> genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>
> type oprofilefs_t;
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index ea5530f55689..78031010d38c 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t self:netlink_selinux_socket create_socket_perms;
> + allow init_t self:unix_dgram_socket lock;
>
> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
> # mount-setup
> fs_unmount_autofs(init_t)
> fs_getattr_pstore_dirs(init_t)
> + # for network namespaces
> + fs_read_nsfs_files(init_t)
>
> # systemd_socket_activated policy
> mls_socket_write_all_levels(init_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2016-01-11 18:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 18:14 [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature Nicolas Iooss
2016-01-11 18:27 ` Christopher J. PeBenito [this message]
2016-01-11 18:31 ` Miroslav Grepl
2016-01-19 11:30 ` Lukas Vrabec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5693F40B.9070102@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.