* [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
@ 2016-01-11 18:14 Nicolas Iooss
2016-01-11 18:27 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Nicolas Iooss @ 2016-01-11 18:14 UTC (permalink / raw)
To: refpolicy
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
---
policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
policy/modules/kernel/filesystem.te | 1 +
policy/modules/system/init.te | 3 +++
3 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 99ad71f926b4..3455c2270942 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
+## Read nsfs inodes (e.g. /proc/pid/ns/uts)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_nsfs_files',`
+ gen_require(`
+ type nsfs_t;
+ ')
+
+ allow $1 nsfs_t:file read_file_perms;
+')
+########################################
+## <summary>
## Getattr on pstore dirs.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 920527ca9995..ae44d92f4f10 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
+fs_type(nsfs_t)
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
type oprofilefs_t;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ea5530f55689..78031010d38c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -199,6 +199,7 @@ ifdef(`init_systemd',`
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
+ allow init_t self:unix_dgram_socket lock;
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -260,6 +261,8 @@ ifdef(`init_systemd',`
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
+ # for network namespaces
+ fs_read_nsfs_files(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
--
2.7.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
2016-01-11 18:14 [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature Nicolas Iooss
@ 2016-01-11 18:27 ` Christopher J. PeBenito
2016-01-11 18:31 ` Miroslav Grepl
0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2016-01-11 18:27 UTC (permalink / raw)
To: refpolicy
On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
> systemd creates a new network namespace for services which are using
> PrivateNetwork=yes.
>
> In the implementation, systemd uses a socketpair as a storage buffer for
> the namespace reference file descriptor (c.f.
> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
> One end of this socketpair is locked (hence the need of "lock" access to
> self:unix_dgram_socket for init_t) while systemd opens
> /proc/self/ns/net, which lives in nsfs.
>
> While at it, add filesystem_type attribute to nsfs_t.
Merged.
> ---
> policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
> policy/modules/kernel/filesystem.te | 1 +
> policy/modules/system/init.te | 3 +++
> 3 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 99ad71f926b4..3455c2270942 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>
> ########################################
> ## <summary>
> +## Read nsfs inodes (e.g. /proc/pid/ns/uts)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_read_nsfs_files',`
> + gen_require(`
> + type nsfs_t;
> + ')
> +
> + allow $1 nsfs_t:file read_file_perms;
> +')
> +########################################
> +## <summary>
> ## Getattr on pstore dirs.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 920527ca9995..ae44d92f4f10 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>
> type nsfs_t;
> +fs_type(nsfs_t)
> genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>
> type oprofilefs_t;
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index ea5530f55689..78031010d38c 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t self:netlink_selinux_socket create_socket_perms;
> + allow init_t self:unix_dgram_socket lock;
>
> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
> # mount-setup
> fs_unmount_autofs(init_t)
> fs_getattr_pstore_dirs(init_t)
> + # for network namespaces
> + fs_read_nsfs_files(init_t)
>
> # systemd_socket_activated policy
> mls_socket_write_all_levels(init_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
2016-01-11 18:27 ` Christopher J. PeBenito
@ 2016-01-11 18:31 ` Miroslav Grepl
2016-01-19 11:30 ` Lukas Vrabec
0 siblings, 1 reply; 4+ messages in thread
From: Miroslav Grepl @ 2016-01-11 18:31 UTC (permalink / raw)
To: refpolicy
On 01/11/2016 07:27 PM, Christopher J. PeBenito wrote:
> On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
>> systemd creates a new network namespace for services which are using
>> PrivateNetwork=yes.
>>
>> In the implementation, systemd uses a socketpair as a storage buffer for
>> the namespace reference file descriptor (c.f.
>> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
>> One end of this socketpair is locked (hence the need of "lock" access to
>> self:unix_dgram_socket for init_t) while systemd opens
>> /proc/self/ns/net, which lives in nsfs.
>>
>> While at it, add filesystem_type attribute to nsfs_t.
>
> Merged.
Lukas,
could play around and make this change also for Fedora bugs to see if it
works as expected?
Nicolas,
thank you for patches.
>
>
>
>> ---
>> policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
>> policy/modules/kernel/filesystem.te | 1 +
>> policy/modules/system/init.te | 3 +++
>> 3 files changed, 21 insertions(+)
>>
>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
>> index 99ad71f926b4..3455c2270942 100644
>> --- a/policy/modules/kernel/filesystem.if
>> +++ b/policy/modules/kernel/filesystem.if
>> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>>
>> ########################################
>> ## <summary>
>> +## Read nsfs inodes (e.g. /proc/pid/ns/uts)
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_read_nsfs_files',`
>> + gen_require(`
>> + type nsfs_t;
>> + ')
>> +
>> + allow $1 nsfs_t:file read_file_perms;
>> +')
>> +########################################
>> +## <summary>
>> ## Getattr on pstore dirs.
>> ## </summary>
>> ## <param name="domain">
>> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
>> index 920527ca9995..ae44d92f4f10 100644
>> --- a/policy/modules/kernel/filesystem.te
>> +++ b/policy/modules/kernel/filesystem.te
>> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
>> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>>
>> type nsfs_t;
>> +fs_type(nsfs_t)
>> genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>>
>> type oprofilefs_t;
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index ea5530f55689..78031010d38c 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
>> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>> allow init_t self:netlink_route_socket create_netlink_socket_perms;
>> allow init_t self:netlink_selinux_socket create_socket_perms;
>> + allow init_t self:unix_dgram_socket lock;
>>
>> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
>> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
>> # mount-setup
>> fs_unmount_autofs(init_t)
>> fs_getattr_pstore_dirs(init_t)
>> + # for network namespaces
>> + fs_read_nsfs_files(init_t)
>>
>> # systemd_socket_activated policy
>> mls_socket_write_all_levels(init_t)
>>
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature
2016-01-11 18:31 ` Miroslav Grepl
@ 2016-01-19 11:30 ` Lukas Vrabec
0 siblings, 0 replies; 4+ messages in thread
From: Lukas Vrabec @ 2016-01-19 11:30 UTC (permalink / raw)
To: refpolicy
On 01/11/2016 07:31 PM, Miroslav Grepl wrote:
> On 01/11/2016 07:27 PM, Christopher J. PeBenito wrote:
>> On 1/11/2016 1:14 PM, Nicolas Iooss wrote:
>>> systemd creates a new network namespace for services which are using
>>> PrivateNetwork=yes.
>>>
>>> In the implementation, systemd uses a socketpair as a storage buffer for
>>> the namespace reference file descriptor (c.f.
>>> https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
>>> One end of this socketpair is locked (hence the need of "lock" access to
>>> self:unix_dgram_socket for init_t) while systemd opens
>>> /proc/self/ns/net, which lives in nsfs.
>>>
>>> While at it, add filesystem_type attribute to nsfs_t.
>>
>> Merged.
>
> Lukas,
> could play around and make this change also for Fedora bugs to see if it
> works as expected?
>
Fixes available for Fedora 23 and Fedora Rawhide here:
http://koji.fedoraproject.org/koji/buildinfo?buildID=712094
http://koji.fedoraproject.org/koji/buildinfo?buildID=712091
> Nicolas,
> thank you for patches.
>
>>
>>
>>
>>> ---
>>> policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
>>> policy/modules/kernel/filesystem.te | 1 +
>>> policy/modules/system/init.te | 3 +++
>>> 3 files changed, 21 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
>>> index 99ad71f926b4..3455c2270942 100644
>>> --- a/policy/modules/kernel/filesystem.if
>>> +++ b/policy/modules/kernel/filesystem.if
>>> @@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Read nsfs inodes (e.g. /proc/pid/ns/uts)
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`fs_read_nsfs_files',`
>>> + gen_require(`
>>> + type nsfs_t;
>>> + ')
>>> +
>>> + allow $1 nsfs_t:file read_file_perms;
>>> +')
>>> +########################################
>>> +## <summary>
>>> ## Getattr on pstore dirs.
>>> ## </summary>
>>> ## <param name="domain">
>>> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
>>> index 920527ca9995..ae44d92f4f10 100644
>>> --- a/policy/modules/kernel/filesystem.te
>>> +++ b/policy/modules/kernel/filesystem.te
>>> @@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
>>> genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>>>
>>> type nsfs_t;
>>> +fs_type(nsfs_t)
>>> genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
>>>
>>> type oprofilefs_t;
>>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>>> index ea5530f55689..78031010d38c 100644
>>> --- a/policy/modules/system/init.te
>>> +++ b/policy/modules/system/init.te
>>> @@ -199,6 +199,7 @@ ifdef(`init_systemd',`
>>> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>>> allow init_t self:netlink_route_socket create_netlink_socket_perms;
>>> allow init_t self:netlink_selinux_socket create_socket_perms;
>>> + allow init_t self:unix_dgram_socket lock;
>>>
>>> manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
>>> manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
>>> @@ -260,6 +261,8 @@ ifdef(`init_systemd',`
>>> # mount-setup
>>> fs_unmount_autofs(init_t)
>>> fs_getattr_pstore_dirs(init_t)
>>> + # for network namespaces
>>> + fs_read_nsfs_files(init_t)
>>>
>>> # systemd_socket_activated policy
>>> mls_socket_write_all_levels(init_t)
>>>
>>
>>
>
>
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-19 11:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-11 18:14 [refpolicy] [PATCH] Allow systemd services to use PrivateNetwork feature Nicolas Iooss
2016-01-11 18:27 ` Christopher J. PeBenito
2016-01-11 18:31 ` Miroslav Grepl
2016-01-19 11:30 ` Lukas Vrabec
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.