policy for systemd-networkd

Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar 2017-10-11 14:59:08 +00:00 committed by Chris PeBenito
parent a89570282e
commit 4a54f9c1f0
5 changed files with 191 additions and 0 deletions

View File

@ -329,6 +329,7 @@ ifdef(`init_systemd',`
systemd_relabelto_tmpfiles_conf_files(init_t) systemd_relabelto_tmpfiles_conf_files(init_t)
systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_dirs(init_t)
systemd_relabelto_journal_files(init_t) systemd_relabelto_journal_files(init_t)
systemd_rw_networkd_netlink_route_sockets(init_t)
term_create_devpts_dirs(init_t) term_create_devpts_dirs(init_t)

View File

@ -24,6 +24,8 @@ ifdef(`distro_debian',`
/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)

View File

@ -23,6 +23,7 @@
/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0) /usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) /usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0) /usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@ -36,6 +37,7 @@
/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0) /usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
/usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0) /usr/lib/systemd/system/systemd-backlight.* -- gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0) /usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
@ -52,6 +54,7 @@
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) /run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) /run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
/run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
/run/tmpfiles\.d/.* <<none>> /run/tmpfiles\.d/.* <<none>>

View File

@ -388,6 +388,121 @@ interface(`systemd_relabelto_journal_files',`
allow $1 systemd_journal_t:file relabelto_file_perms; allow $1 systemd_journal_t:file relabelto_file_perms;
') ')
########################################
## <summary>
## Allow domain to read systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_read_networkd_units',`
gen_require(`
type systemd_networkd_t;
')
init_search_units($1)
list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow domain to create/manage systemd_networkd_t unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_manage_networkd_units',`
gen_require(`
type systemd_networkd_unit_t;
')
init_search_units($1)
manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
')
########################################
## <summary>
## Allow specified domain to start systemd-networkd units
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_startstop_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service { start stop };
')
allow $1 systemd_networkd_unit_t:service { start stop };
')
########################################
## <summary>
## Allow specified domain to get status of systemd-networkd
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_status_networkd',`
gen_require(`
type systemd_networkd_unit_t;
class service status;
')
allow $1 systemd_networkd_unit_t:service status;
')
#######################################
## <summary>
## Relabel systemd_networkd tun socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_relabelfrom_networkd_tun_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:tun_socket relabelfrom;
')
#######################################
## <summary>
## Read/Write from systemd_networkd netlink route socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_rw_networkd_netlink_route_sockets',`
gen_require(`
type systemd_networkd_t;
')
allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Allow systemd_logind_t to read process state for cgroup file ## Allow systemd_logind_t to read process state for cgroup file

View File

@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
files_pid_file(systemd_machined_var_run_t) files_pid_file(systemd_machined_var_run_t)
init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
type systemd_networkd_t;
type systemd_networkd_exec_t;
init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t)
type systemd_networkd_var_run_t;
files_pid_file(systemd_networkd_var_run_t)
type systemd_notify_t; type systemd_notify_t;
type systemd_notify_exec_t; type systemd_notify_exec_t;
init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@ -514,6 +524,66 @@ optional_policy(`
dbus_system_bus_client(systemd_machined_t) dbus_system_bus_client(systemd_machined_t)
') ')
########################################
#
# networkd local policy
#
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:packet_socket create_socket_perms;
allow systemd_networkd_t self:process { getcap setcap setfscreate };
allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
kernel_dgram_send(systemd_networkd_t)
kernel_read_system_state(systemd_networkd_t)
kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)
corecmd_bin_entry_type(systemd_networkd_t)
corecmd_exec_bin(systemd_networkd_t)
corenet_rw_tun_tap_dev(systemd_networkd_t)
dev_read_urand(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
files_read_etc_files(systemd_networkd_t)
auth_use_nsswitch(systemd_networkd_t)
init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)
logging_send_syslog_msg(systemd_networkd_t)
miscfiles_read_localization(systemd_networkd_t)
sysnet_read_config(systemd_networkd_t)
systemd_log_parse_environment(systemd_networkd_t)
optional_policy(`
dbus_system_bus_client(systemd_networkd_t)
dbus_connect_system_bus(systemd_networkd_t)
')
optional_policy(`
udev_read_db(systemd_networkd_t)
udev_read_pid_files(systemd_networkd_t)
')
######################################## ########################################
# #
# systemd_notify local policy # systemd_notify local policy