From 1ca7df474f2d9c552029b7210f28c2d9a66cbebc Mon Sep 17 00:00:00 2001 From: Russell Coker Date: Tue, 5 Sep 2017 15:38:13 +1000 Subject: [PATCH] systemd nspawn and backlight The following patch allows systemd_nspawn_t to create directories under /tmp and use them as mountpoints. Also allows systemd_nspawn_t to umount cgroup filesystems. Allows systemd_backlight_t to search /var/lib. --- policy/modules/system/systemd.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4a7ac884b..f9e1a24f5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -120,6 +120,9 @@ init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) type systemd_nspawn_var_run_t; files_pid_file(systemd_nspawn_var_run_t) +type systemd_nspawn_tmp_t; +files_tmp_file(systemd_nspawn_tmp_t) + type systemd_resolved_t; type systemd_resolved_exec_t; init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) @@ -186,6 +189,8 @@ files_read_etc_files(systemd_backlight_t) # for /run/udev/data/+backlight* udev_read_pid_files(systemd_backlight_t) +files_search_var_lib(systemd_backlight_t) + ####################################### # # Binfmt local policy @@ -550,6 +555,10 @@ allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir }) +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; + # for /run/systemd/nspawn/incoming in chroot allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; @@ -631,6 +640,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',` fs_mounton_tmpfs_files(systemd_nspawn_t) fs_remount_cgroup(systemd_nspawn_t) fs_search_tmpfs(systemd_nspawn_t) + fs_unmount_cgroup(systemd_nspawn_t) fs_write_cgroup_files(systemd_nspawn_t) selinux_getattr_fs(systemd_nspawn_t)