RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

systemd-networkd: allow creating a generic netlink socket 

Since systemd 237 (commit
05d0c2e3cf),
systemd-networkd requires a generic netlink socket in order to start.
Otherwise, it fails to start and systemd's journal contains:

    audit[19262]: AVC avc:  denied  { create } for  pid=19262
    comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_networkd_t
    tclass=netlink_generic_socket permissive=0

    audit[19262]: SYSCALL arch=c000003e syscall=41 success=no exit=-13
    a0=10 a1=80803 a2=10 a3=20 items=0 ppid=1 pid=19262 auid=4294967295
    uid=102 gid=103 euid=102 suid=102 fsuid=102 egid=103 sgid=103
    fsgid=103 tty=(none) ses=4294967295 comm="systemd-network"
    exe="/usr/lib/systemd/systemd-networkd"
    subj=system_u:system_r:systemd_networkd_t key=(null)

    audit: PROCTITLE proctitle="/lib/systemd/systemd-networkd"

    systemd-networkd[19262]: Could not create manager: Permission denied

For information, "syscall=41 a0=10 a1=80803 a2=10" means:

    socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_GENERIC);

... which matches the call to sd_genl_socket_open(&m->genl); in
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1143

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-14 13:53:17 +02:00
parent a5dab43a85
commit ba45fc06c8
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/systemd.te
View File

@ -642,6 +642,7 @@ systemd_log_parse_environment(systemd_modules_load_t)
# #
allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid }; allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
allow systemd_networkd_t self:netlink_generic_socket create_socket_perms;
allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
allow systemd_networkd_t self:packet_socket create_socket_perms; allow systemd_networkd_t self:packet_socket create_socket_perms;