systemd nspawn and backlight

The following patch allows systemd_nspawn_t to create directories under /tmp and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup filesystems. Allows systemd_backlight_t to search /var/lib.
2017-09-05 15:38:13 +10:00 · 2017-09-05 15:38:13 +10:00 · 1ca7df474f
parent d9861c32ad
commit 1ca7df474f
1 changed files with 10 additions and 0 deletions
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -120,6 +120,9 @@ init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 type systemd_nspawn_var_run_t;
 files_pid_file(systemd_nspawn_var_run_t)

+type systemd_nspawn_tmp_t;
+files_tmp_file(systemd_nspawn_tmp_t)
+
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
 init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@ -186,6 +189,8 @@ files_read_etc_files(systemd_backlight_t)
 # for /run/udev/data/+backlight*
 udev_read_pid_files(systemd_backlight_t)

+files_search_var_lib(systemd_backlight_t)
+
 #######################################
 #
 # Binfmt local policy
@ -550,6 +555,10 @@ allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
 allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
 init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)

+files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
+allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
+
 # for /run/systemd/nspawn/incoming in chroot
 allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;

@ -631,6 +640,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	fs_mounton_tmpfs_files(systemd_nspawn_t)
 	fs_remount_cgroup(systemd_nspawn_t)
 	fs_search_tmpfs(systemd_nspawn_t)
+	fs_unmount_cgroup(systemd_nspawn_t)
 	fs_write_cgroup_files(systemd_nspawn_t)

 	selinux_getattr_fs(systemd_nspawn_t)