Allow systemd services to use PrivateNetwork feature
systemd creates a new network namespace for services which are using PrivateNetwork=yes. In the implementation, systemd uses a socketpair as a storage buffer for the namespace reference file descriptor (c.f. https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660). One end of this socketpair is locked (hence the need of "lock" access to self:unix_dgram_socket for init_t) while systemd opens /proc/self/ns/net, which lives in nsfs. While at it, add filesystem_type attribute to nsfs_t.
This commit is contained in:
parent
619b4adf78
commit
25bc2d5c1d
|
@ -3358,6 +3358,23 @@ interface(`fs_rw_nfsd_fs',`
|
|||
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read nsfs inodes (e.g. /proc/pid/ns/uts)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_read_nsfs_files',`
|
||||
gen_require(`
|
||||
type nsfs_t;
|
||||
')
|
||||
|
||||
allow $1 nsfs_t:file read_file_perms;
|
||||
')
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr on pstore dirs.
|
||||
|
|
|
@ -126,6 +126,7 @@ fs_type(nfsd_fs_t)
|
|||
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
|
||||
|
||||
type nsfs_t;
|
||||
fs_type(nsfs_t)
|
||||
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
|
||||
|
||||
type oprofilefs_t;
|
||||
|
|
|
@ -199,6 +199,7 @@ ifdef(`init_systemd',`
|
|||
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow init_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow init_t self:netlink_selinux_socket create_socket_perms;
|
||||
allow init_t self:unix_dgram_socket lock;
|
||||
|
||||
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
|
||||
|
@ -260,6 +261,8 @@ ifdef(`init_systemd',`
|
|||
# mount-setup
|
||||
fs_unmount_autofs(init_t)
|
||||
fs_getattr_pstore_dirs(init_t)
|
||||
# for network namespaces
|
||||
fs_read_nsfs_files(init_t)
|
||||
|
||||
# systemd_socket_activated policy
|
||||
mls_socket_write_all_levels(init_t)
|
||||
|
|
Loading…
Reference in New Issue