RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix setting-up sandbox environment for systemd-networkd 

Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:

avc:  denied  { mounton } for  pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1

Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
This commit is contained in:
Krzysztof Nowicki 2021-02-04 16:19:40 +01:00
parent 014b2c41d2
commit f70f84310a
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/systemd.te
View File

@ -179,6 +179,7 @@ init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t; type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t) files_runtime_file(systemd_networkd_runtime_t)
init_mountpoint(systemd_networkd_runtime_t)
type systemd_networkd_unit_t; type systemd_networkd_unit_t;
init_unit_file(systemd_networkd_unit_t) init_unit_file(systemd_networkd_unit_t)