From: mgrepl@redhat.com (Miroslav Grepl)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
Date: Mon, 11 Jan 2016 19:31:21 +0100 [thread overview]
Message-ID: <5693F4F9.5040703@redhat.com> (raw)
In-Reply-To: <5693F40B.9070102@tresys.com>
On 01/11/2016 07:27 PM, Christopher J. PeBenito wrote:
> On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
>> systemd creates a new network namespace for services which are using
>> PrivateNetwork=yes.
>>
>> In the implementation, systemd uses a socketpair as a storage buffer for
>> the namespace reference file descriptor (c.f.
>> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
>> One end of this socketpair is locked (hence the need of "lock" access to
>> self:unix_dgram_socket for init_t) while systemd opens
>> /proc/self/ns/net, which lives in nsfs.
>>
>> While at it, add filesystem_type attribute to nsfs_t.
>
> Merged.
Lukas,
could play around and make this change also for Fedora bugs to see if it
works as expected?
Nicolas,
thank you for patches.
>
>
>
>> ---
>> policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
>> policy/modules/kernel/filesystem.te | 1 +
>> policy/modules/system/init.te | 3 +++
>> 3 files changed, 21 insertions(+)
>>
>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
>> index 99ad71f926b4..3455c2270942 100644
>> --- a/policy/modules/kernel/filesystem.if
>> +++ b/policy/modules/kernel/filesystem.if
>> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>>
>> ########################################
>> ## <summary>
>> +## Read nsfs inodes (e.g. /proc/pid/ns/uts)
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_read_nsfs_files',`
>> + gen_require(`
>> + type nsfs_t;
>> + ')
>> +
>> + allow $1 nsfs_t:file read_file_perms;
>> +')
>> +########################################
>> +## <summary>
>> ## Getattr on pstore dirs.
>> ## </summary>
>> ## <param name="domain">
>> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
>> index 920527ca9995..ae44d92f4f10 100644
>> --- a/policy/modules/kernel/filesystem.te
>> +++ b/policy/modules/kernel/filesystem.te
>> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
>> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>>
>> type nsfs_t;
>> +fs_type(nsfs_t)
>> genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>>
>> type oprofilefs_t;
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index ea5530f55689..78031010d38c 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
>> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>> allow init_t self:netlink_route_socket create_netlink_socket_perms;
>> allow init_t self:netlink_selinux_socket create_socket_perms;
>> + allow init_t self:unix_dgram_socket lock;
>>
>> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
>> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
>> # mount-setup
>> fs_unmount_autofs(init_t)
>> fs_getattr_pstore_dirs(init_t)
>> + # for network namespaces
>> + fs_read_nsfs_files(init_t)
>>
>> # systemd_socket_activated policy
>> mls_socket_write_all_levels(init_t)
>>
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
next prev parent reply other threads:[~2016-01-11 18:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 18:14 [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature Nicolas Iooss
2016-01-11 18:27 ` Christopher J. PeBenito
2016-01-11 18:31 ` Miroslav Grepl [this message]
2016-01-19 11:30 ` Lukas Vrabec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5693F4F9.5040703@redhat.com \
--to=mgrepl@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.