selinux-refpolicy/policy
Nicolas Iooss ba45fc06c8
systemd-networkd: allow creating a generic netlink socket
Since systemd 237 (commit
05d0c2e3cf),
systemd-networkd requires a generic netlink socket in order to start.
Otherwise, it fails to start and systemd's journal contains:

    audit[19262]: AVC avc:  denied  { create } for  pid=19262
    comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t
    tcontext=system_u:system_r:systemd_networkd_t
    tclass=netlink_generic_socket permissive=0

    audit[19262]: SYSCALL arch=c000003e syscall=41 success=no exit=-13
    a0=10 a1=80803 a2=10 a3=20 items=0 ppid=1 pid=19262 auid=4294967295
    uid=102 gid=103 euid=102 suid=102 fsuid=102 egid=103 sgid=103
    fsgid=103 tty=(none) ses=4294967295 comm="systemd-network"
    exe="/usr/lib/systemd/systemd-networkd"
    subj=system_u:system_r:systemd_networkd_t key=(null)

    audit: PROCTITLE proctitle="/lib/systemd/systemd-networkd"

    systemd-networkd[19262]: Could not create manager: Permission denied

For information, "syscall=41 a0=10 a1=80803 a2=10" means:

    socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_GENERIC);

... which matches the call to sd_genl_socket_open(&m->genl); in
https://github.com/systemd/systemd/blob/v243/src/network/networkd-manager.c#L1143

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-14 13:53:17 +02:00
..
flask Remove incorrect comment about capability2:mac_admin. 2019-03-11 20:49:42 -04:00
modules systemd-networkd: allow creating a generic netlink socket 2019-09-14 13:53:17 +02:00
support obj_perm_sets.spt: Add xdp_socket to socket_class_set. 2018-10-23 17:18:43 -04:00
constraints
context_defaults
global_booleans
global_tunables
mcs
mls Remove unused translate permission in context userspace class. 2018-10-13 13:39:18 -04:00
policy_capabilities
users